diff --git a/fstar-helpers/core-models/src/core_arch/x86.rs b/fstar-helpers/core-models/src/core_arch/x86.rs index f2f729e0d..b2cc3f82d 100644 --- a/fstar-helpers/core-models/src/core_arch/x86.rs +++ b/fstar-helpers/core-models/src/core_arch/x86.rs @@ -469,6 +469,12 @@ pub mod avx { pub fn _mm256_set1_epi16(_: i16) -> __m256i { unimplemented!() } + + /// [Intel Documentation](https://www.intel.com/content/www/us/en/docs/intrinsics-guide/index.html#text=_mm256_set1_epi8) + #[hax_lib::opaque] + pub fn _mm256_set1_epi8(_: i8) -> __m256i { + unimplemented!() + } } pub use avx2::*; pub mod avx2 { @@ -547,6 +553,12 @@ pub mod avx2 { unimplemented!() } + /// [Intel Documentation](https://www.intel.com/content/www/us/en/docs/intrinsics-guide/index.html#text=_mm256_sign_epi16) + #[hax_lib::opaque] + pub fn _mm256_sign_epi16(_: __m256i, _: __m256i) -> __m256i { + unimplemented!() + } + /// [Intel Documentation](https://www.intel.com/content/www/us/en/docs/intrinsics-guide/index.html#text=_mm256_mullo_epi32) #[hax_lib::opaque] pub fn _mm256_mullo_epi32(_: __m256i, _: __m256i) -> __m256i { diff --git a/libcrux-intrinsics/src/arm64.rs b/libcrux-intrinsics/src/arm64.rs index 1baa9f3a1..b3285d5b1 100644 --- a/libcrux-intrinsics/src/arm64.rs +++ b/libcrux-intrinsics/src/arm64.rs @@ -66,6 +66,11 @@ pub fn _vsubq_s16(lhs: int16x8_t, rhs: int16x8_t) -> int16x8_t { unsafe { vsubq_s16(lhs, rhs) } } +#[inline(always)] +pub fn _vnegq_s16(vec: int16x8_t) -> int16x8_t { + unsafe { vnegq_s16(vec) } +} + #[inline(always)] pub fn _vmulq_n_s16(v: int16x8_t, c: i16) -> int16x8_t { unsafe { vmulq_n_s16(v, c) } diff --git a/libcrux-intrinsics/src/arm64_extract.rs b/libcrux-intrinsics/src/arm64_extract.rs index 9caca251b..8b80ca198 100644 --- a/libcrux-intrinsics/src/arm64_extract.rs +++ b/libcrux-intrinsics/src/arm64_extract.rs @@ -82,6 +82,11 @@ pub fn _vsubq_s16(lhs: _int16x8_t, rhs: _int16x8_t) -> _int16x8_t { unimplemented!() } +#[inline(always)] +pub fn _vnegq_s16(vec: _int16x8_t) -> _int16x8_t { + unimplemented!() +} + #[inline(always)] pub fn _vmulq_n_s16(v: _int16x8_t, c: i16) -> _int16x8_t { unimplemented!() diff --git a/libcrux-intrinsics/src/avx2.rs b/libcrux-intrinsics/src/avx2.rs index b04a71d87..e67198461 100644 --- a/libcrux-intrinsics/src/avx2.rs +++ b/libcrux-intrinsics/src/avx2.rs @@ -214,6 +214,12 @@ pub fn mm256_set1_epi16(constant: i16) -> Vec256 { unsafe { _mm256_set1_epi16(constant) } } +#[hax_lib::opaque] +#[inline(always)] +pub fn mm256_set1_epi8(constant: i8) -> Vec256 { + unsafe { _mm256_set1_epi8(constant) } +} + #[inline(always)] #[hax_lib::fstar::before(r#"[@@ "opaque_to_smt"]"#)] pub fn mm256_set_epi16( @@ -369,6 +375,12 @@ pub fn mm256_sign_epi32(a: Vec256, b: Vec256) -> Vec256 { unsafe { _mm256_sign_epi32(a, b) } } +#[inline(always)] +#[hax_lib::fstar::before(r#"[@@ "opaque_to_smt"]"#)] +pub fn mm256_sign_epi16(a: Vec256, b: Vec256) -> Vec256 { + unsafe { _mm256_sign_epi16(a, b) } +} + #[inline(always)] #[hax_lib::fstar::before(r#"[@@ "opaque_to_smt"]"#)] pub fn mm256_castsi256_ps(a: Vec256) -> Vec256Float { diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index 83cbea1d0..853489a5e 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -345,6 +345,11 @@ pub fn mm256_sign_epi32(a: Vec256, b: Vec256) -> Vec256 { unimplemented!() } +#[inline(always)] +pub fn mm256_sign_epi16(a: Vec256, b: Vec256) -> Vec256 { + unimplemented!() +} + #[inline(always)] pub fn mm256_castsi256_ps(a: Vec256) -> Vec256Float { unimplemented!() diff --git a/libcrux-ml-kem/README.md b/libcrux-ml-kem/README.md index d4cf7bdb6..e76ca85e7 100644 --- a/libcrux-ml-kem/README.md +++ b/libcrux-ml-kem/README.md @@ -4,14 +4,17 @@ This crate implements all three ML-KEM ([FIPS 203](https://csrc.nist.gov/pubs/fi For each algorithm, it inlcudes a portable Rust implementation, as well as SIMD implementations for Intel AVX2 and AArch64 Neon platforms. ## Verification -![verified] +![pre-verification] -The portable and AVX2 code for field arithmetic, NTT polynomial arithmetic, serialization, and the generic code for high-level algorithms +For [release `0.0.4`](https://crates.io/crates/libcrux-ml-kem/0.0.4) of this crate, the portable and AVX2 code for field arithmetic, NTT polynomial arithmetic, serialization, and the generic code for high-level algorithms is formally verified using [hax](https://cryspen.com/hax) and [F*](https://fstar-lang.org). -Please refer to [this file](proofs/verification_status.md) for detail on the verification of this crate. +⚠️ In comparison, this current, *unreleased*, version of the crate (`HEAD` of branch `main`) introduces a number of open proof obligations, which we aim to resolve before the next release. + +Please refer to [this file](proofs/verification_status.md) for details on the current verification of this crate and comparison to the `0.0.4` release. [verified]: https://img.shields.io/badge/verified-brightgreen.svg?style=for-the-badge&logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48IS0tIFVwbG9hZGVkIHRvOiBTVkcgUmVwbywgd3d3LnN2Z3JlcG8uY29tLCBHZW5lcmF0b3I6IFNWRyBSZXBvIE1peGVyIFRvb2xzIC0tPg0KPHN2ZyB3aWR0aD0iODAwcHgiIGhlaWdodD0iODAwcHgiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4NCjxwYXRoIGQ9Ik05IDEyTDExIDE0TDE1IDkuOTk5OTlNMjAgMTJDMjAgMTYuNDYxMSAxNC41NCAxOS42OTM3IDEyLjY0MTQgMjAuNjgzQzEyLjQzNjEgMjAuNzkgMTIuMzMzNCAyMC44NDM1IDEyLjE5MSAyMC44NzEyQzEyLjA4IDIwLjg5MjggMTEuOTIgMjAuODkyOCAxMS44MDkgMjAuODcxMkMxMS42NjY2IDIwLjg0MzUgMTEuNTYzOSAyMC43OSAxMS4zNTg2IDIwLjY4M0M5LjQ1OTk2IDE5LjY5MzcgNCAxNi40NjExIDQgMTJWOC4yMTc1OUM0IDcuNDE4MDggNCA3LjAxODMzIDQuMTMwNzYgNi42NzQ3QzQuMjQ2MjcgNi4zNzExMyA0LjQzMzk4IDYuMTAwMjcgNC42Nzc2NiA1Ljg4NTUyQzQuOTUzNSA1LjY0MjQzIDUuMzI3OCA1LjUwMjA3IDYuMDc2NCA1LjIyMTM0TDExLjQzODIgMy4yMTA2N0MxMS42NDYxIDMuMTMyNzEgMTEuNzUgMy4wOTM3MyAxMS44NTcgMy4wNzgyN0MxMS45NTE4IDMuMDY0NTcgMTIuMDQ4MiAzLjA2NDU3IDEyLjE0MyAzLjA3ODI3QzEyLjI1IDMuMDkzNzMgMTIuMzUzOSAzLjEzMjcxIDEyLjU2MTggMy4yMTA2N0wxNy45MjM2IDUuMjIxMzRDMTguNjcyMiA1LjUwMjA3IDE5LjA0NjUgNS42NDI0MyAxOS4zMjIzIDUuODg1NTJDMTkuNTY2IDYuMTAwMjcgMTkuNzUzNyA2LjM3MTEzIDE5Ljg2OTIgNi42NzQ3QzIwIDcuMDE4MzMgMjAgNy40MTgwOCAyMCA4LjIxNzU5VjEyWiIgc3Ryb2tlPSIjMDAwMDAwIiBzdHJva2Utd2lkdGg9IjIiIHN0cm9rZS1saW5lY2FwPSJyb3VuZCIgc3Ryb2tlLWxpbmVqb2luPSJyb3VuZCIvPg0KPC9zdmc+ +[pre-verification]: https://img.shields.io/badge/pre_verification-orange.svg?style=for-the-badge&logo=data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48IS0tIFVwbG9hZGVkIHRvOiBTVkcgUmVwbywgd3d3LnN2Z3JlcG8uY29tLCBHZW5lcmF0b3I6IFNWRyBSZXBvIE1peGVyIFRvb2xzIC0tPg0KPHN2ZyB3aWR0aD0iODAwcHgiIGhlaWdodD0iODAwcHgiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4NCjxwYXRoIGQ9Ik05IDEySDE1TTIwIDEyQzIwIDE2LjQ2MTEgMTQuNTQgMTkuNjkzNyAxMi42NDE0IDIwLjY4M0MxMi40MzYxIDIwLjc5IDEyLjMzMzQgMjAuODQzNSAxMi4xOTEgMjAuODcxMkMxMi4wOCAyMC44OTI4IDExLjkyIDIwLjg5MjggMTEuODA5IDIwLjg3MTJDMTEuNjY2NiAyMC44NDM1IDExLjU2MzkgMjAuNzkgMTEuMzU4NiAyMC42ODNDOS40NTk5NiAxOS42OTM3IDQgMTYuNDYxMSA0IDEyVjguMjE3NTlDNCA3LjQxODA4IDQgNy4wMTgzMyA0LjEzMDc2IDYuNjc0N0M0LjI0NjI3IDYuMzcxMTMgNC40MzM5OCA2LjEwMDI3IDQuNjc3NjYgNS44ODU1MkM0Ljk1MzUgNS42NDI0MyA1LjMyNzggNS41MDIwNyA2LjA3NjQgNS4yMjEzNEwxMS40MzgyIDMuMjEwNjdDMTEuNjQ2MSAzLjEzMjcxIDExLjc1IDMuMDkzNzMgMTEuODU3IDMuMDc4MjdDMTEuOTUxOCAzLjA2NDU3IDEyLjA0ODIgMy4wNjQ1NyAxMi4xNDMgMy4wNzgyN0MxMi4yNSAzLjA5MzczIDEyLjM1MzkgMy4xMzI3MSAxMi41NjE4IDMuMjEwNjdMMTcuOTIzNiA1LjIyMTM0QzE4LjY3MjIgNS41MDIwNyAxOS4wNDY1IDUuNjQyNDMgMTkuMzIyMyA1Ljg4NTUyQzE5LjU2NiA2LjEwMDI3IDE5Ljc1MzcgNi4zNzExMyAxOS44NjkyIDYuNjc0N0MyMCA3LjAxODMzIDIwIDcuNDE4MDggMjAgOC4yMTc1OVYxMloiIHN0cm9rZT0iIzAwMDAwMCIgc3Ryb2tlLXdpZHRoPSIyIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiLz4NCjwvc3ZnPg== ## Usage diff --git a/libcrux-ml-kem/extracts/c/generated/code_gen.txt b/libcrux-ml-kem/extracts/c/generated/code_gen.txt index a689f6d37..575a786c5 100644 --- a/libcrux-ml-kem/extracts/c/generated/code_gen.txt +++ b/libcrux-ml-kem/extracts/c/generated/code_gen.txt @@ -2,5 +2,5 @@ This code was generated with the following revisions: Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b -F*: 71d8221589d4d438af3706d89cb653cf53e18aab -Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc +F*: unset +Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b diff --git a/libcrux-ml-kem/extracts/c/generated/header.txt b/libcrux-ml-kem/extracts/c/generated/header.txt index 55b8d4049..b880e3f6c 100644 --- a/libcrux-ml-kem/extracts/c/generated/header.txt +++ b/libcrux-ml-kem/extracts/c/generated/header.txt @@ -7,6 +7,6 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ diff --git a/libcrux-ml-kem/extracts/c/generated/internal/libcrux_core.h b/libcrux-ml-kem/extracts/c/generated/internal/libcrux_core.h index 67d3e9036..3a002e276 100644 --- a/libcrux-ml-kem/extracts/c/generated/internal/libcrux_core.h +++ b/libcrux-ml-kem/extracts/c/generated/internal/libcrux_core.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef internal_libcrux_core_H @@ -38,11 +38,9 @@ static inline uint64_t core_num__u64__rotate_left(uint64_t x0, uint32_t x1); static inline void core_num__u64__to_le_bytes(uint64_t x0, uint8_t x1[8U]); -#define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) - void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( Eurydice_slice lhs_c, Eurydice_slice rhs_c, Eurydice_slice lhs_s, - Eurydice_slice rhs_s, uint8_t ret[32U]); + Eurydice_slice rhs_s, Eurydice_slice out); #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U) @@ -58,6 +56,8 @@ void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_i #define LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE ((size_t)32U) +#define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) + /** K * BITS_PER_RING_ELEMENT / 8 @@ -66,8 +66,6 @@ void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_i */ size_t libcrux_ml_kem_constants_ranked_bytes_per_ring_element(size_t rank); -int16_t libcrux_secrets_int_I16(int16_t v); - /** This function found in impl {libcrux_secrets::traits::Classify for T} */ @@ -78,6 +76,16 @@ with types int16_t */ int16_t libcrux_secrets_int_public_integers_classify_27_39(int16_t self); +/** +This function found in impl {libcrux_secrets::traits::Declassify for T} +*/ +/** +A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 +with types uint8_t + +*/ +uint8_t libcrux_secrets_int_public_integers_declassify_d8_90(uint8_t self); + /** This function found in impl {libcrux_secrets::int::CastOps for u8} */ @@ -153,16 +161,6 @@ This function found in impl {libcrux_secrets::int::CastOps for i16} */ int16_t libcrux_secrets_int_as_i16_f5(int16_t self); -typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair1024_s { - uint8_t fst[1536U]; - uint8_t snd[1568U]; -} libcrux_ml_kem_utils_extraction_helper_Keypair1024; - -typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair768_s { - uint8_t fst[1152U]; - uint8_t snd[1184U]; -} libcrux_ml_kem_utils_extraction_helper_Keypair768; - /** This function found in impl {libcrux_ml_kem::types::MlKemKeyPair} @@ -190,15 +188,16 @@ libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_77_39( uint8_t value[3168U]); /** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext} +This function found in impl {core::default::Default for +libcrux_ml_kem::types::MlKemCiphertext} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_a9 +A monomorphic instance of libcrux_ml_kem.types.default_73 with const generics - SIZE= 1568 */ -uint8_t *libcrux_ml_kem_types_as_slice_a9_af( - libcrux_ml_kem_types_MlKemCiphertext_64 *self); +libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_default_73_af( + void); /** This function found in impl @@ -227,15 +226,16 @@ libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_77_28( uint8_t value[2400U]); /** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext} +This function found in impl {core::default::Default for +libcrux_ml_kem::types::MlKemCiphertext} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_a9 +A monomorphic instance of libcrux_ml_kem.types.default_73 with const generics - SIZE= 1088 */ -uint8_t *libcrux_ml_kem_types_as_slice_a9_80( - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self); +libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_default_73_80( + void); /** This function found in impl {libcrux_ml_kem::types::MlKemPublicKey} @@ -286,18 +286,6 @@ with const generics Eurydice_slice_uint8_t_x4 libcrux_ml_kem_types_unpack_private_key_b4( Eurydice_slice private_key); -/** -This function found in impl {core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext} -*/ -/** -A monomorphic instance of libcrux_ml_kem.types.from_e0 -with const generics -- SIZE= 1088 -*/ -libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_e0_80( - uint8_t value[1088U]); - /** A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc with const generics @@ -406,18 +394,6 @@ with const generics void libcrux_ml_kem_utils_into_padded_array_b6(Eurydice_slice slice, uint8_t ret[34U]); -/** -This function found in impl {core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext} -*/ -/** -A monomorphic instance of libcrux_ml_kem.types.from_e0 -with const generics -- SIZE= 1568 -*/ -libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_e0_af( - uint8_t value[1568U]); - /** A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc with const generics @@ -471,72 +447,6 @@ with const generics void libcrux_ml_kem_utils_into_padded_array_24(Eurydice_slice slice, uint8_t ret[64U]); -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[24size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_d2(uint8_t self[24U], - uint8_t ret[24U]); - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[22size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_fa(uint8_t self[22U], - uint8_t ret[22U]); - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[20size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_57(uint8_t self[20U], - uint8_t ret[20U]); - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[10size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_cc(uint8_t self[10U], - uint8_t ret[10U]); - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[8size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_76(uint8_t self[8U], - uint8_t ret[8U]); - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[2size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_d4(uint8_t self[2U], - uint8_t ret[2U]); - /** Classify a mutable slice (identity) We define a separate function for this because hax has limited support for @@ -585,30 +495,6 @@ with types int16_t Eurydice_slice libcrux_secrets_int_classify_public_classify_ref_9b_39( Eurydice_slice self); -/** -A monomorphic instance of core.result.Result -with types int16_t[16size_t], core_array_TryFromSliceError - -*/ -typedef struct core_result_Result_0a_s { - core_result_Result_fb_tags tag; - union { - int16_t case_Ok[16U]; - core_array_TryFromSliceError case_Err; - } val; -} core_result_Result_0a; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types int16_t[16size_t], core_array_TryFromSliceError - -*/ -void core_result_unwrap_26_00(core_result_Result_0a self, int16_t ret[16U]); - /** This function found in impl {libcrux_secrets::traits::Classify for T} */ diff --git a/libcrux-ml-kem/extracts/c/generated/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/extracts/c/generated/internal/libcrux_mlkem_portable.h index b35bb5968..72ed71664 100644 --- a/libcrux-ml-kem/extracts/c/generated/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/extracts/c/generated/internal/libcrux_mlkem_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef internal_libcrux_mlkem_portable_H @@ -55,12 +55,12 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_ff(uint8_t *public_key); */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key_only -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - SECRET_KEY_SIZE= 3168 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_only_60( +bool libcrux_ml_kem_ind_cca_validate_private_key_only_a7( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key); /** @@ -72,13 +72,13 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_only_60( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - SECRET_KEY_SIZE= 3168 - CIPHERTEXT_SIZE= 1568 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_b5( +bool libcrux_ml_kem_ind_cca_validate_private_key_f5( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *_ciphertext); @@ -93,24 +93,27 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_b5( /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 */ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_150(uint8_t *randomness); +libcrux_ml_kem_ind_cca_generate_keypair_e60(uint8_t *randomness); /** A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - CIPHERTEXT_SIZE= 1568 - PUBLIC_KEY_SIZE= 1568 - T_AS_NTT_ENCODED_SIZE= 1536 @@ -123,8 +126,10 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca0( +tuple_fa libcrux_ml_kem_ind_cca_encapsulate_d90( libcrux_ml_kem_types_MlKemPublicKey_64 *public_key, uint8_t *randomness); /** @@ -133,9 +138,10 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca0( /** A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - SECRET_KEY_SIZE= 3168 - CPA_SECRET_KEY_SIZE= 1536 - PUBLIC_KEY_SIZE= 1568 @@ -150,9 +156,11 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_620( +void libcrux_ml_kem_ind_cca_decapsulate_d70( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext, uint8_t ret[32U]); @@ -179,12 +187,12 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_89(uint8_t *public_key); */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key_only -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( +bool libcrux_ml_kem_ind_cca_validate_private_key_only_1f( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key); /** @@ -196,13 +204,13 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_37( +bool libcrux_ml_kem_ind_cca_validate_private_key_5d( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext); @@ -217,24 +225,27 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_37( /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness); +libcrux_ml_kem_ind_cca_generate_keypair_e6(uint8_t *randomness); /** A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -247,8 +258,10 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( +tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_d9( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness); /** @@ -257,9 +270,10 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( /** A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -274,9 +288,11 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_62( +void libcrux_ml_kem_ind_cca_decapsulate_d7( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); diff --git a/libcrux-ml-kem/extracts/c/generated/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/extracts/c/generated/internal/libcrux_sha3_internal.h index 6c2451e65..65c745eb2 100644 --- a/libcrux-ml-kem/extracts/c/generated/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/extracts/c/generated/internal/libcrux_sha3_internal.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef internal_libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_core.c b/libcrux-ml-kem/extracts/c/generated/libcrux_core.c index 048d9bdc3..68fd347c1 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_core.c +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_core.c @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #include "internal/libcrux_core.h" @@ -51,36 +51,31 @@ compare_ciphertexts_in_constant_time(Eurydice_slice lhs, Eurydice_slice rhs) { `lhs` otherwise. */ static KRML_NOINLINE void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, - uint8_t selector, uint8_t ret[32U]) { + uint8_t selector, Eurydice_slice out) { uint8_t mask = core_num__u8__wrapping_sub(is_non_zero(selector), 1U); - uint8_t out[32U] = {0U}; - for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; - i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; uint8_t outi = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & (uint32_t)mask) | ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & (uint32_t)~mask); - out[i0] = outi; + Eurydice_slice_index(out, i0, uint8_t, uint8_t *) = outi; } - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static KRML_NOINLINE void select_shared_secret_in_constant_time( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { - select_ct(lhs, rhs, selector, ret); + Eurydice_slice out) { + select_ct(lhs, rhs, selector, out); } KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( Eurydice_slice lhs_c, Eurydice_slice rhs_c, Eurydice_slice lhs_s, - Eurydice_slice rhs_s, uint8_t ret[32U]) { + Eurydice_slice rhs_s, Eurydice_slice out) { uint8_t selector = compare_ciphertexts_in_constant_time(lhs_c, rhs_c); - uint8_t ret0[32U]; - select_shared_secret_in_constant_time(lhs_s, rhs_s, selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + select_shared_secret_in_constant_time(lhs_s, rhs_s, selector, out); } /** @@ -93,18 +88,6 @@ size_t libcrux_ml_kem_constants_ranked_bytes_per_ring_element(size_t rank) { return rank * LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U; } -/** - Construct a public integer (identity) -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.secret -with types int16_t - -*/ -static KRML_MUSTINLINE int16_t secret_39(int16_t x) { return x; } - -int16_t libcrux_secrets_int_I16(int16_t v) { return secret_39(v); } - /** This function found in impl {libcrux_secrets::traits::Classify for T} */ @@ -125,14 +108,16 @@ A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 with types uint8_t */ -static KRML_MUSTINLINE uint8_t declassify_d8_90(uint8_t self) { return self; } +uint8_t libcrux_secrets_int_public_integers_declassify_d8_90(uint8_t self) { + return self; +} /** This function found in impl {libcrux_secrets::int::CastOps for u8} */ int16_t libcrux_secrets_int_as_i16_59(uint8_t self) { return libcrux_secrets_int_public_integers_classify_27_39( - (int16_t)declassify_d8_90(self)); + (int16_t)libcrux_secrets_int_public_integers_declassify_d8_90(self)); } /** @@ -354,16 +339,18 @@ libcrux_ml_kem_types_MlKemPrivateKey_83 libcrux_ml_kem_types_from_77_39( } /** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext} +This function found in impl {core::default::Default for +libcrux_ml_kem::types::MlKemCiphertext} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_a9 +A monomorphic instance of libcrux_ml_kem.types.default_73 with const generics - SIZE= 1568 */ -uint8_t *libcrux_ml_kem_types_as_slice_a9_af( - libcrux_ml_kem_types_MlKemCiphertext_64 *self) { - return self->value; +libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_default_73_af( + void) { + return ( + KRML_CLITERAL(libcrux_ml_kem_types_MlKemCiphertext_64){.value = {0U}}); } /** @@ -403,16 +390,18 @@ libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_types_from_77_28( } /** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext} +This function found in impl {core::default::Default for +libcrux_ml_kem::types::MlKemCiphertext} */ /** -A monomorphic instance of libcrux_ml_kem.types.as_slice_a9 +A monomorphic instance of libcrux_ml_kem.types.default_73 with const generics - SIZE= 1088 */ -uint8_t *libcrux_ml_kem_types_as_slice_a9_80( - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { - return self->value; +libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_default_73_80( + void) { + return ( + KRML_CLITERAL(libcrux_ml_kem_mlkem768_MlKem768Ciphertext){.value = {0U}}); } /** @@ -480,25 +469,6 @@ Eurydice_slice_uint8_t_x4 libcrux_ml_kem_types_unpack_private_key_b4( .f3 = implicit_rejection_value}); } -/** -This function found in impl {core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext} -*/ -/** -A monomorphic instance of libcrux_ml_kem.types.from_e0 -with const generics -- SIZE= 1088 -*/ -libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_e0_80( - uint8_t value[1088U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_value[1088U]; - memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; - memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); - return lit; -} - /** A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc with const generics @@ -650,25 +620,6 @@ void libcrux_ml_kem_utils_into_padded_array_b6(Eurydice_slice slice, memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); } -/** -This function found in impl {core::convert::From<@Array> for -libcrux_ml_kem::types::MlKemCiphertext} -*/ -/** -A monomorphic instance of libcrux_ml_kem.types.from_e0 -with const generics -- SIZE= 1568 -*/ -libcrux_ml_kem_types_MlKemCiphertext_64 libcrux_ml_kem_types_from_e0_af( - uint8_t value[1568U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_value[1568U]; - memcpy(copy_of_value, value, (size_t)1568U * sizeof(uint8_t)); - libcrux_ml_kem_types_MlKemCiphertext_64 lit; - memcpy(lit.value, copy_of_value, (size_t)1568U * sizeof(uint8_t)); - return lit; -} - /** A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc with const generics @@ -753,84 +704,6 @@ void libcrux_ml_kem_utils_into_padded_array_24(Eurydice_slice slice, memcpy(ret, out, (size_t)64U * sizeof(uint8_t)); } -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[24size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_d2(uint8_t self[24U], - uint8_t ret[24U]) { - memcpy(ret, self, (size_t)24U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[22size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_fa(uint8_t self[22U], - uint8_t ret[22U]) { - memcpy(ret, self, (size_t)22U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[20size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_57(uint8_t self[20U], - uint8_t ret[20U]) { - memcpy(ret, self, (size_t)20U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[10size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_cc(uint8_t self[10U], - uint8_t ret[10U]) { - memcpy(ret, self, (size_t)10U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[8size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_76(uint8_t self[8U], - uint8_t ret[8U]) { - memcpy(ret, self, (size_t)8U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[2size_t] - -*/ -void libcrux_secrets_int_public_integers_declassify_d8_d4(uint8_t self[2U], - uint8_t ret[2U]) { - memcpy(ret, self, (size_t)2U * sizeof(uint8_t)); -} - /** Classify a mutable slice (identity) We define a separate function for this because hax has limited support for @@ -887,27 +760,6 @@ Eurydice_slice libcrux_secrets_int_classify_public_classify_ref_9b_39( return self; } -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types int16_t[16size_t], core_array_TryFromSliceError - -*/ -void core_result_unwrap_26_00(core_result_Result_0a self, int16_t ret[16U]) { - if (self.tag == core_result_Ok) { - int16_t f0[16U]; - memcpy(f0, self.val.case_Ok, (size_t)16U * sizeof(int16_t)); - memcpy(ret, f0, (size_t)16U * sizeof(int16_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - /** This function found in impl {libcrux_secrets::traits::Classify for T} */ diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_core.h b/libcrux-ml-kem/extracts/c/generated/libcrux_core.h index 929323708..2bdb84d87 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_core.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_core.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_core_H diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024.h b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024.h index 3d6f24a0b..883ca4d56 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem1024_H @@ -78,10 +78,21 @@ typedef libcrux_ml_kem_types_MlKemPrivateKey_83 typedef libcrux_ml_kem_types_MlKemPublicKey_64 libcrux_ml_kem_mlkem1024_MlKem1024PublicKey; +#define LIBCRUX_ML_KEM_MLKEM1024_PRF_OUTPUT_SIZE1 \ + (LIBCRUX_ML_KEM_MLKEM1024_ETA1_RANDOMNESS_SIZE * \ + LIBCRUX_ML_KEM_MLKEM1024_RANK) + +#define LIBCRUX_ML_KEM_MLKEM1024_PRF_OUTPUT_SIZE2 \ + (LIBCRUX_ML_KEM_MLKEM1024_ETA2_RANDOMNESS_SIZE * \ + LIBCRUX_ML_KEM_MLKEM1024_RANK) + #define LIBCRUX_ML_KEM_MLKEM1024_RANKED_BYTES_PER_RING_ELEMENT \ (LIBCRUX_ML_KEM_MLKEM1024_RANK * \ LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U) +#define LIBCRUX_ML_KEM_MLKEM1024_RANK_SQUARED \ + (LIBCRUX_ML_KEM_MLKEM1024_RANK * LIBCRUX_ML_KEM_MLKEM1024_RANK) + #define LIBCRUX_ML_KEM_MLKEM1024_SECRET_KEY_SIZE \ (LIBCRUX_ML_KEM_MLKEM1024_CPA_PKE_SECRET_KEY_SIZE + \ LIBCRUX_ML_KEM_MLKEM1024_CPA_PKE_PUBLIC_KEY_SIZE + \ diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.c index b528cdbeb..1c0646067 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.c @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #include "libcrux_mlkem1024_portable.h" @@ -23,6 +23,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - K= 4 +- K_SQUARED= 16 - SECRET_KEY_SIZE= 3168 - CPA_SECRET_KEY_SIZE= 1536 - PUBLIC_KEY_SIZE= 1568 @@ -37,12 +38,14 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_e0(libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, +static void decapsulate_f3(libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_620(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_d70(private_key, ciphertext, ret); } /** @@ -55,13 +58,14 @@ static void decapsulate_e0(libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, void libcrux_ml_kem_mlkem1024_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext, uint8_t ret[32U]) { - decapsulate_e0(private_key, ciphertext, ret); + decapsulate_f3(private_key, ciphertext, ret); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - K= 4 +- K_SQUARED= 16 - CIPHERTEXT_SIZE= 1568 - PUBLIC_KEY_SIZE= 1568 - T_AS_NTT_ENCODED_SIZE= 1536 @@ -74,10 +78,12 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -static tuple_fa encapsulate_8f( +static tuple_fa encapsulate_e0( libcrux_ml_kem_types_MlKemPublicKey_64 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_encapsulate_ca0(public_key, randomness); + return libcrux_ml_kem_ind_cca_encapsulate_d90(public_key, randomness); } /** @@ -90,7 +96,7 @@ static tuple_fa encapsulate_8f( tuple_fa libcrux_ml_kem_mlkem1024_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_64 *public_key, uint8_t randomness[32U]) { - return encapsulate_8f(public_key, randomness); + return encapsulate_e0(public_key, randomness); } /** @@ -101,15 +107,17 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const generics - K= 4 +- K_SQUARED= 16 - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 */ -static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_b4( +static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_86( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_generate_keypair_150(randomness); + return libcrux_ml_kem_ind_cca_generate_keypair_e60(randomness); } /** @@ -117,7 +125,7 @@ static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_b4( */ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_mlkem1024_portable_generate_key_pair(uint8_t randomness[64U]) { - return generate_keypair_b4(randomness); + return generate_keypair_86(randomness); } /** @@ -134,7 +142,7 @@ generics static KRML_MUSTINLINE bool validate_private_key_6b( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_b5(private_key, + return libcrux_ml_kem_ind_cca_validate_private_key_f5(private_key, ciphertext); } @@ -161,7 +169,7 @@ const generics */ static KRML_MUSTINLINE bool validate_private_key_only_44( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_60(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_a7(private_key); } /** diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.h index b5fce3d09..1f03039e3 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem1024_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768.h b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768.h index 913a7e9f2..a20dc4fd3 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem768_H @@ -75,10 +75,19 @@ typedef libcrux_ml_kem_types_MlKemPrivateKey_d9 typedef libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_MlKem768PublicKey; +#define LIBCRUX_ML_KEM_MLKEM768_PRF_OUTPUT_SIZE1 \ + (LIBCRUX_ML_KEM_MLKEM768_ETA1_RANDOMNESS_SIZE * LIBCRUX_ML_KEM_MLKEM768_RANK) + +#define LIBCRUX_ML_KEM_MLKEM768_PRF_OUTPUT_SIZE2 \ + (LIBCRUX_ML_KEM_MLKEM768_ETA2_RANDOMNESS_SIZE * LIBCRUX_ML_KEM_MLKEM768_RANK) + #define LIBCRUX_ML_KEM_MLKEM768_RANKED_BYTES_PER_RING_ELEMENT \ (LIBCRUX_ML_KEM_MLKEM768_RANK * \ LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U) +#define LIBCRUX_ML_KEM_MLKEM768_RANK_SQUARED \ + (LIBCRUX_ML_KEM_MLKEM768_RANK * LIBCRUX_ML_KEM_MLKEM768_RANK) + #define LIBCRUX_ML_KEM_MLKEM768_SECRET_KEY_SIZE \ (LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_SECRET_KEY_SIZE + \ LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_PUBLIC_KEY_SIZE + \ diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.c b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.c index 12675089d..0018baf24 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.c @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #include "libcrux_mlkem768_portable.h" @@ -23,6 +23,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -37,12 +38,14 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_35( +static void decapsulate_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_62(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_d7(private_key, ciphertext, ret); } /** @@ -55,13 +58,14 @@ static void decapsulate_35( void libcrux_ml_kem_mlkem768_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_35(private_key, ciphertext, ret); + decapsulate_54(private_key, ciphertext, ret); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -74,10 +78,12 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static tuple_c2 encapsulate_cd( +static tuple_c2 encapsulate_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_encapsulate_ca(public_key, randomness); + return libcrux_ml_kem_ind_cca_encapsulate_d9(public_key, randomness); } /** @@ -90,7 +96,7 @@ static tuple_c2 encapsulate_cd( tuple_c2 libcrux_ml_kem_mlkem768_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t randomness[32U]) { - return encapsulate_cd(public_key, randomness); + return encapsulate_35(public_key, randomness); } /** @@ -101,15 +107,17 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_ce( +static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_generate_keypair_15(randomness); + return libcrux_ml_kem_ind_cca_generate_keypair_e6(randomness); } /** @@ -117,7 +125,7 @@ static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_ce( */ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { - return generate_keypair_ce(randomness); + return generate_keypair_06(randomness); } /** @@ -134,7 +142,7 @@ generics static KRML_MUSTINLINE bool validate_private_key_31( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_37(private_key, + return libcrux_ml_kem_ind_cca_validate_private_key_5d(private_key, ciphertext); } @@ -161,7 +169,7 @@ const generics */ static KRML_MUSTINLINE bool validate_private_key_only_41( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_d6(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_1f(private_key); } /** diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.h b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.h index 60cbd407e..0d220f928 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem768_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.c b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.c index 29b00d5d1..91d46f7b7 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.c @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #include "internal/libcrux_mlkem_portable.h" @@ -18,19 +18,149 @@ #include "libcrux_sha3_portable.h" inline void libcrux_ml_kem_hash_functions_portable_G(Eurydice_slice input, - uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); + Eurydice_slice output) { + libcrux_sha3_portable_sha512(output, input); } inline void libcrux_ml_kem_hash_functions_portable_H(Eurydice_slice input, - uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice output) { + libcrux_sha3_portable_sha256(output, input); +} + +inline void libcrux_ml_kem_hash_functions_portable_PRFxN(Eurydice_slice input, + Eurydice_slice outputs, + size_t out_len) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(input, uint8_t[33U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_slice_subslice3(outputs, i0 * out_len, + (i0 + (size_t)1U) * out_len, uint8_t *), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, i0, uint8_t[33U], uint8_t(*)[33U]), + uint8_t)); + } +} + +inline libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, + shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init();); + for (size_t i = (size_t)0U; i < Eurydice_slice_len(input, uint8_t[34U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &shake128_state[i0], + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, i0, uint8_t[34U], uint8_t(*)[34U]), + uint8_t)); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_17 copy_of_shake128_state[4U]; + memcpy(copy_of_shake128_state, shake128_state, + (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); + libcrux_ml_kem_hash_functions_portable_PortableHash lit; + memcpy(lit.shake128_state, copy_of_shake128_state, + (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); + return lit; +} + +inline void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(outputs, uint8_t[504U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( + &st->shake128_state[i0], + Eurydice_array_to_slice( + (size_t)504U, + Eurydice_slice_index(outputs, i0, uint8_t[504U], uint8_t(*)[504U]), + uint8_t)); + } +} + +inline void libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(outputs, uint8_t[168U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &st->shake128_state[i0], + Eurydice_array_to_slice( + (size_t)168U, + Eurydice_slice_index(outputs, i0, uint8_t[168U], uint8_t(*)[168U]), + uint8_t)); + } +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +inline void libcrux_ml_kem_hash_functions_portable_G_6e(Eurydice_slice input, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_G(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +inline void libcrux_ml_kem_hash_functions_portable_H_6e(Eurydice_slice input, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_H(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +inline void libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + libcrux_ml_kem_hash_functions_portable_PRFxN(input, outputs, out_len); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + Eurydice_slice input) { + return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + input); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + self, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block(self, + output); } static const int16_t ZETAS_TIMES_MONTGOMERY_R[128U] = { @@ -92,34 +222,37 @@ libcrux_ml_kem_vector_portable_ZERO_b8(void) { return libcrux_ml_kem_vector_portable_vector_type_zero(); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_from_i16_array( - Eurydice_slice array) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - int16_t ret[16U]; - core_result_Result_0a dst; - Eurydice_slice_to_array2( - &dst, Eurydice_slice_subslice3(array, (size_t)0U, (size_t)16U, int16_t *), - Eurydice_slice, int16_t[16U], core_array_TryFromSliceError); - core_result_unwrap_26_00(dst, ret); - memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); - return lit; +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)16U, out->elements, int16_t), + Eurydice_slice_subslice3(array, (size_t)0U, (size_t)16U, int16_t *), + int16_t); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_from_i16_array_b8(Eurydice_slice array) { - return libcrux_ml_kem_vector_portable_vector_type_from_i16_array( - libcrux_secrets_int_classify_public_classify_ref_9b_39(array)); +void libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + libcrux_secrets_int_classify_public_classify_ref_9b_39(array), out); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_to_i16_array( - libcrux_ml_kem_vector_portable_vector_type_PortableVector x, - int16_t ret[16U]) { - memcpy(ret, x.elements, (size_t)16U * sizeof(int16_t)); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *x, + Eurydice_slice out) { + Eurydice_slice uu____0 = + Eurydice_slice_subslice3(out, (size_t)0U, (size_t)16U, int16_t *); + int16_t uu____1[16U]; + memcpy(uu____1, x->elements, (size_t)16U * sizeof(int16_t)); + int16_t ret[16U]; + libcrux_secrets_int_public_integers_declassify_d8_46(uu____1, ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)16U, ret, int16_t), int16_t); } /** @@ -127,44 +260,35 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_to_i16_array_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector x, - int16_t ret[16U]) { - int16_t ret0[16U]; - libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, ret0); - libcrux_secrets_int_public_integers_declassify_d8_46(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *x, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, out); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_from_bytes(Eurydice_slice array) { - int16_t elements[16U]; - KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, - elements[i] = libcrux_secrets_int_I16((int16_t)0);); +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_from_bytes( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - elements[i0] = + out->elements[i0] = libcrux_secrets_int_as_i16_59( Eurydice_slice_index(array, (size_t)2U * i0, uint8_t, uint8_t *)) << 8U | libcrux_secrets_int_as_i16_59(Eurydice_slice_index( array, (size_t)2U * i0 + (size_t)1U, uint8_t, uint8_t *)); } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_elements[16U]; - memcpy(copy_of_elements, elements, (size_t)16U * sizeof(int16_t)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - memcpy(lit.elements, copy_of_elements, (size_t)16U * sizeof(int16_t)); - return lit; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_from_bytes_b8(Eurydice_slice array) { - return libcrux_ml_kem_vector_portable_vector_type_from_bytes( - libcrux_secrets_int_classify_public_classify_ref_9b_90(array)); +void libcrux_ml_kem_vector_portable_from_bytes_b8( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_from_bytes( + libcrux_secrets_int_classify_public_classify_ref_9b_90(array), out); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_vector_type_to_bytes( @@ -192,103 +316,131 @@ void libcrux_ml_kem_vector_portable_to_bytes_b8( x, libcrux_secrets_int_public_integers_classify_mut_slice_ba(bytes)); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_add( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - lhs.elements[uu____0] = lhs.elements[uu____0] + rhs->elements[i0]; + lhs->elements[uu____0] = lhs->elements[uu____0] + rhs->elements[i0]; } - return lhs; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_add_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +void libcrux_ml_kem_vector_portable_add_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); + libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_sub( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - lhs.elements[uu____0] = lhs.elements[uu____0] - rhs->elements[i0]; + lhs->elements[uu____0] = lhs->elements[uu____0] - rhs->elements[i0]; } - return lhs; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_sub_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +void libcrux_ml_kem_vector_portable_sub_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); + libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_negate( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + vec->elements[i0] = -vec->elements[i0]; + } +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +void libcrux_ml_kem_vector_portable_negate_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_negate(vec); +} + +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] * c; + vec->elements[uu____0] = vec->elements[uu____0] * c; } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); +void libcrux_ml_kem_vector_portable_multiply_by_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); +} + +KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + size_t uu____0 = i0; + vec->elements[uu____0] = vec->elements[uu____0] & c; + } +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +void libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(vec, c); } /** Note: This function is not secret independent Only use with public values. */ -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; if (libcrux_secrets_int_public_integers_declassify_d8_39( - vec.elements[i0]) >= (int16_t)3329) { + vec->elements[i0]) >= (int16_t)3329) { size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329; + vec->elements[uu____0] = vec->elements[uu____0] - (int16_t)3329; } } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { - return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v); +void libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(vec); } /** @@ -316,28 +468,25 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t vi = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - vec.elements[i0]); - vec.elements[i0] = vi; + vec->elements[i0]); + vec->elements[i0] = vi; } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector) { - return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(vector); +void libcrux_ml_kem_vector_portable_barrett_reduce_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(vec); } /** @@ -397,41 +546,36 @@ libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( product); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = + vec->elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec.elements[i0], c); + vec->elements[i0], c); } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector, - int16_t constant) { - return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - vector, libcrux_secrets_int_public_integers_classify_27_39(constant)); +void libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t r) { + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( + vec, libcrux_secrets_int_public_integers_classify_27_39(r)); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { - size_t i0 = i; - size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] & c; - } - return vec; +/** +This function found in impl {core::clone::Clone for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_clone_9c( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) { + return self[0U]; } /** @@ -439,25 +583,26 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.arithmetic.shift_right with const generics - SHIFT_BY= 15 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -shift_right_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { +static KRML_MUSTINLINE void shift_right_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15; + size_t uu____0 = i0; + vec->elements[uu____0] = vec->elements[uu____0] >> (uint32_t)(int32_t)15; } - return vec; } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_to_unsigned_representative( libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - shift_right_ef(a); - libcrux_ml_kem_vector_portable_vector_type_PortableVector fm = - libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_portable_arithmetic_add(a, &fm); + libcrux_ml_kem_vector_portable_vector_type_clone_9c(&a); + shift_right_ef(&t); + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + &t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); + libcrux_ml_kem_vector_portable_arithmetic_add(&a, &t); + return a; } /** @@ -506,27 +651,24 @@ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( return libcrux_secrets_int_as_u8_f5(r1); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - a.elements[i0] = libcrux_secrets_int_as_i16_59( + a->elements[i0] = libcrux_secrets_int_as_i16_59( libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); } - return a; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_1(a); +void libcrux_ml_kem_vector_portable_compress_1_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_1(a); } KRML_MUSTINLINE uint32_t @@ -550,14 +692,10 @@ int16_t libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_decompress_1( libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector z = - libcrux_ml_kem_vector_portable_vector_type_zero(); - libcrux_ml_kem_vector_portable_vector_type_PortableVector s = - libcrux_ml_kem_vector_portable_arithmetic_sub(z, &a); - libcrux_ml_kem_vector_portable_vector_type_PortableVector res = - libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - s, (int16_t)1665); - return res; + libcrux_ml_kem_vector_portable_arithmetic_negate(&a); + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + &a, (int16_t)1665); + return a; } /** @@ -583,106 +721,98 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( vec->elements[i] = a_plus_t; } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta3, (size_t)13U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, zeta2, + zeta3); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)11U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); + libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)7U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); +void libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( @@ -699,107 +829,98 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( vec->elements[j] = o1; } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta3, (size_t)13U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - a, zeta0, zeta1, zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(a, zeta0, zeta1, + zeta2, zeta3); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)11U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, - zeta1); + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, zeta1); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)7U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); +void libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } /** @@ -857,88 +978,83 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( out->elements[(size_t)2U * i + (size_t)1U] = o1; } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_multiply( +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { int16_t nzeta0 = -zeta0; int16_t nzeta1 = -zeta1; int16_t nzeta2 = -zeta2; int16_t nzeta3 = -zeta3; - libcrux_ml_kem_vector_portable_vector_type_PortableVector out = - libcrux_ml_kem_vector_portable_vector_type_zero(); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta0), - (size_t)0U, &out); + (size_t)0U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta0), - (size_t)1U, &out); + (size_t)1U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta1), - (size_t)2U, &out); + (size_t)2U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta1), - (size_t)3U, &out); + (size_t)3U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta2), - (size_t)4U, &out); + (size_t)4U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta2), - (size_t)5U, &out); + (size_t)5U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta3), - (size_t)6U, &out); + (size_t)6U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta3), - (size_t)7U, &out); - return out; + (size_t)7U, out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_multiply_b8( +void libcrux_ml_kem_vector_portable_ntt_multiply_b8( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, out, zeta0, zeta1, + zeta2, zeta3); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[2U]) { - uint8_t result0 = - (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[0U]) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[1U]) << 1U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[2U]) << 2U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[3U]) << 3U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[4U]) << 4U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[5U]) << 5U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[6U]) << 6U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[7U]) << 7U; - uint8_t result1 = - (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[8U]) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[9U]) << 1U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[10U]) << 2U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[11U]) << 3U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[12U]) << 4U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[13U]) << 5U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[14U]) << 6U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[15U]) << 7U; - ret[0U] = result0; - ret[1U] = result1; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = + libcrux_secrets_int_public_integers_declassify_d8_90( + (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[0U]) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[1U]) << 1U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[2U]) << 2U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[3U]) << 3U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[4U]) << 4U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[5U]) << 5U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[6U]) << 6U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[7U]) << 7U); + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = + libcrux_secrets_int_public_integers_declassify_d8_90( + (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[8U]) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[9U]) << 1U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[10U]) << 2U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[11U]) << 3U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[12U]) << 4U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[13U]) << 5U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[14U]) << 6U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[15U]) << 7U); } void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - uint8_t ret0[2U]; - libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_d4(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_1(a, out); } /** @@ -946,79 +1062,77 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_1(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_1(a, out); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { - int16_t result0 = libcrux_secrets_int_as_i16_59( +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_deserialize_1( + Eurydice_slice v, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + out->elements[0U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) & 1U); - int16_t result1 = libcrux_secrets_int_as_i16_59( + out->elements[1U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 1U & 1U); - int16_t result2 = libcrux_secrets_int_as_i16_59( + out->elements[2U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 2U & 1U); - int16_t result3 = libcrux_secrets_int_as_i16_59( + out->elements[3U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 3U & 1U); - int16_t result4 = libcrux_secrets_int_as_i16_59( + out->elements[4U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 4U & 1U); - int16_t result5 = libcrux_secrets_int_as_i16_59( + out->elements[5U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 5U & 1U); - int16_t result6 = libcrux_secrets_int_as_i16_59( + out->elements[6U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 6U & 1U); - int16_t result7 = libcrux_secrets_int_as_i16_59( + out->elements[7U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 7U & 1U); - int16_t result8 = libcrux_secrets_int_as_i16_59( + out->elements[8U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) & 1U); - int16_t result9 = libcrux_secrets_int_as_i16_59( + out->elements[9U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 1U & 1U); - int16_t result10 = libcrux_secrets_int_as_i16_59( + out->elements[10U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 2U & 1U); - int16_t result11 = libcrux_secrets_int_as_i16_59( + out->elements[11U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 3U & 1U); - int16_t result12 = libcrux_secrets_int_as_i16_59( + out->elements[12U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 4U & 1U); - int16_t result13 = libcrux_secrets_int_as_i16_59( + out->elements[13U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 5U & 1U); - int16_t result14 = libcrux_secrets_int_as_i16_59( + out->elements[14U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 6U & 1U); - int16_t result15 = libcrux_secrets_int_as_i16_59( + out->elements[15U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 7U & 1U); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {result0, result1, result2, result3, result4, result5, - result6, result7, result8, result9, result10, result11, - result12, result13, result14, result15}}); } -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_1( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +void libcrux_ml_kem_vector_portable_deserialize_1( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_1( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_1(a); +void libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_1(a, out); } KRML_MUSTINLINE uint8_t_x4 @@ -1044,36 +1158,41 @@ libcrux_ml_kem_vector_portable_serialize_serialize_4_int(Eurydice_slice v) { (uint32_t)libcrux_secrets_int_as_u8_f5(Eurydice_slice_index( v, (size_t)6U, int16_t, int16_t *)); return (KRML_CLITERAL(uint8_t_x4){ - .fst = result0, .snd = result1, .thd = result2, .f3 = result3}); + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(result0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(result1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(result2), + .f3 = libcrux_secrets_int_public_integers_declassify_d8_90(result3)}); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[8U]) { - uint8_t_x4 result0_3 = - libcrux_ml_kem_vector_portable_serialize_serialize_4_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)8U, - int16_t *)); - uint8_t_x4 result4_7 = - libcrux_ml_kem_vector_portable_serialize_serialize_4_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)16U, - int16_t *)); - ret[0U] = result0_3.fst; - ret[1U] = result0_3.snd; - ret[2U] = result0_3.thd; - ret[3U] = result0_3.f3; - ret[4U] = result4_7.fst; - ret[5U] = result4_7.snd; - ret[6U] = result4_7.thd; - ret[7U] = result4_7.f3; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x4 uu____0 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)8U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + uint8_t_x4 uu____4 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)16U, + int16_t *)); + uint8_t uu____5 = uu____4.snd; + uint8_t uu____6 = uu____4.thd; + uint8_t uu____7 = uu____4.f3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4.fst; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; } void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - uint8_t ret0[8U]; - libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_76(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_4(a, out); } /** @@ -1081,9 +1200,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_4_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_4(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_4(a, out); } KRML_MUSTINLINE int16_t_x8 @@ -1127,32 +1246,62 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( .f7 = v7}); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)4U, uint8_t *)); - int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)8U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, - v0_7.f6, v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, - v8_15.f3, v8_15.f4, v8_15.f5, v8_15.f6, v8_15.f7}}); -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_4( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_deserialize_4( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)4U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( + Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)8U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +void libcrux_ml_kem_vector_portable_deserialize_4( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_4( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_4(a); +void libcrux_ml_kem_vector_portable_deserialize_4_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_4(a, out); } KRML_MUSTINLINE uint8_t_x5 @@ -1175,36 +1324,46 @@ libcrux_ml_kem_vector_portable_serialize_serialize_5_int(Eurydice_slice v) { Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) >> 2U | Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) << 3U); return (KRML_CLITERAL(uint8_t_x5){ - .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(r0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(r1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(r2), + .f3 = libcrux_secrets_int_public_integers_declassify_d8_90(r3), + .f4 = libcrux_secrets_int_public_integers_declassify_d8_90(r4)}); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[10U]) { - uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)8U, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x5 uu____0 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)8U, int16_t *)); - uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)16U, + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + uint8_t uu____4 = uu____0.f4; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + uint8_t_x5 uu____5 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)16U, int16_t *)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; + uint8_t uu____6 = uu____5.snd; + uint8_t uu____7 = uu____5.thd; + uint8_t uu____8 = uu____5.f3; + uint8_t uu____9 = uu____5.f4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5.fst; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9; } void libcrux_ml_kem_vector_portable_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]) { - uint8_t ret0[10U]; - libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_cc(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_5(a, out); } /** @@ -1212,9 +1371,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_5_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]) { - libcrux_ml_kem_vector_portable_serialize_5(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_5(a, out); } KRML_MUSTINLINE int16_t_x8 @@ -1265,32 +1424,62 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( .f7 = v7}); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)5U, uint8_t *)); - int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( - Eurydice_slice_subslice3(bytes, (size_t)5U, (size_t)10U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, - v0_7.f6, v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, - v8_15.f3, v8_15.f4, v8_15.f5, v8_15.f6, v8_15.f7}}); -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_5( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_deserialize_5( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)5U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( + Eurydice_slice_subslice3(bytes, (size_t)5U, (size_t)10U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +void libcrux_ml_kem_vector_portable_deserialize_5( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_5( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_5(a); +void libcrux_ml_kem_vector_portable_deserialize_5_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_5(a, out); } KRML_MUSTINLINE uint8_t_x5 @@ -1322,52 +1511,74 @@ libcrux_ml_kem_vector_portable_serialize_serialize_10_int(Eurydice_slice v) { Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 2U & (int16_t)255); return (KRML_CLITERAL(uint8_t_x5){ - .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(r0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(r1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(r2), + .f3 = libcrux_secrets_int_public_integers_declassify_d8_90(r3), + .f4 = libcrux_secrets_int_public_integers_declassify_d8_90(r4)}); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[20U]) { - uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)4U, - int16_t *)); - uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)4U, (size_t)8U, - int16_t *)); - uint8_t_x5 r10_14 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)12U, - int16_t *)); - uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)12U, (size_t)16U, - int16_t *)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; - ret[10U] = r10_14.fst; - ret[11U] = r10_14.snd; - ret[12U] = r10_14.thd; - ret[13U] = r10_14.f3; - ret[14U] = r10_14.f4; - ret[15U] = r15_19.fst; - ret[16U] = r15_19.snd; - ret[17U] = r15_19.thd; - ret[18U] = r15_19.f3; - ret[19U] = r15_19.f4; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x5 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)4U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + uint8_t uu____4 = uu____0.f4; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + uint8_t_x5 uu____5 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)4U, (size_t)8U, + int16_t *)); + uint8_t uu____6 = uu____5.snd; + uint8_t uu____7 = uu____5.thd; + uint8_t uu____8 = uu____5.f3; + uint8_t uu____9 = uu____5.f4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5.fst; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9; + uint8_t_x5 uu____10 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)12U, + int16_t *)); + uint8_t uu____11 = uu____10.snd; + uint8_t uu____12 = uu____10.thd; + uint8_t uu____13 = uu____10.f3; + uint8_t uu____14 = uu____10.f4; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10.fst; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + uint8_t_x5 uu____15 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)12U, (size_t)16U, + int16_t *)); + uint8_t uu____16 = uu____15.snd; + uint8_t uu____17 = uu____15.thd; + uint8_t uu____18 = uu____15.f3; + uint8_t uu____19 = uu____15.f4; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15.fst; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; } void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - uint8_t ret0[20U]; - libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_57(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_10(a, out); } /** @@ -1375,9 +1586,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_10_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_10(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_10(a, out); } KRML_MUSTINLINE int16_t_x8 @@ -1455,33 +1666,62 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( .f7 = r7}); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)10U, uint8_t *)); - int16_t_x8 v8_15 = +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_deserialize_10( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)10U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice_subslice3(bytes, (size_t)10U, (size_t)20U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, - v0_7.f6, v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, - v8_15.f3, v8_15.f4, v8_15.f5, v8_15.f6, v8_15.f7}}); -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_10( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +void libcrux_ml_kem_vector_portable_deserialize_10( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_10( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_10(a); +void libcrux_ml_kem_vector_portable_deserialize_10_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_10(a, out); } KRML_MUSTINLINE uint8_t_x11 @@ -1539,59 +1779,79 @@ libcrux_ml_kem_vector_portable_serialize_serialize_11_int(Eurydice_slice v) { Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) >> 6U); uint8_t r10 = libcrux_secrets_int_as_u8_f5( Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) >> 3U); - return (KRML_CLITERAL(uint8_t_x11){.fst = r0, - .snd = r1, - .thd = r2, - .f3 = r3, - .f4 = r4, - .f5 = r5, - .f6 = r6, - .f7 = r7, - .f8 = r8, - .f9 = r9, - .f10 = r10}); + return (KRML_CLITERAL(uint8_t_x11){ + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(r0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(r1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(r2), + .f3 = libcrux_secrets_int_public_integers_declassify_d8_90(r3), + .f4 = libcrux_secrets_int_public_integers_declassify_d8_90(r4), + .f5 = libcrux_secrets_int_public_integers_declassify_d8_90(r5), + .f6 = libcrux_secrets_int_public_integers_declassify_d8_90(r6), + .f7 = libcrux_secrets_int_public_integers_declassify_d8_90(r7), + .f8 = libcrux_secrets_int_public_integers_declassify_d8_90(r8), + .f9 = libcrux_secrets_int_public_integers_declassify_d8_90(r9), + .f10 = libcrux_secrets_int_public_integers_declassify_d8_90(r10)}); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[22U]) { - uint8_t_x11 r0_10 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)8U, - int16_t *)); - uint8_t_x11 r11_21 = + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x11 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_11_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)8U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + uint8_t uu____4 = uu____0.f4; + uint8_t uu____5 = uu____0.f5; + uint8_t uu____6 = uu____0.f6; + uint8_t uu____7 = uu____0.f7; + uint8_t uu____8 = uu____0.f8; + uint8_t uu____9 = uu____0.f9; + uint8_t uu____10 = uu____0.f10; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10; + uint8_t_x11 uu____11 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)16U, + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)16U, int16_t *)); - ret[0U] = r0_10.fst; - ret[1U] = r0_10.snd; - ret[2U] = r0_10.thd; - ret[3U] = r0_10.f3; - ret[4U] = r0_10.f4; - ret[5U] = r0_10.f5; - ret[6U] = r0_10.f6; - ret[7U] = r0_10.f7; - ret[8U] = r0_10.f8; - ret[9U] = r0_10.f9; - ret[10U] = r0_10.f10; - ret[11U] = r11_21.fst; - ret[12U] = r11_21.snd; - ret[13U] = r11_21.thd; - ret[14U] = r11_21.f3; - ret[15U] = r11_21.f4; - ret[16U] = r11_21.f5; - ret[17U] = r11_21.f6; - ret[18U] = r11_21.f7; - ret[19U] = r11_21.f8; - ret[20U] = r11_21.f9; - ret[21U] = r11_21.f10; + uint8_t uu____12 = uu____11.snd; + uint8_t uu____13 = uu____11.thd; + uint8_t uu____14 = uu____11.f3; + uint8_t uu____15 = uu____11.f4; + uint8_t uu____16 = uu____11.f5; + uint8_t uu____17 = uu____11.f6; + uint8_t uu____18 = uu____11.f7; + uint8_t uu____19 = uu____11.f8; + uint8_t uu____20 = uu____11.f9; + uint8_t uu____21 = uu____11.f10; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11.fst; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; + Eurydice_slice_index(out, (size_t)20U, uint8_t, uint8_t *) = uu____20; + Eurydice_slice_index(out, (size_t)21U, uint8_t, uint8_t *) = uu____21; } void libcrux_ml_kem_vector_portable_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]) { - uint8_t ret0[22U]; - libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_fa(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_11(a, out); } /** @@ -1599,9 +1859,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_11_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]) { - libcrux_ml_kem_vector_portable_serialize_11(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_11(a, out); } KRML_MUSTINLINE int16_t_x8 @@ -1677,33 +1937,62 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( .f7 = r7}); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)11U, uint8_t *)); - int16_t_x8 v8_15 = +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_deserialize_11( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)11U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice_subslice3(bytes, (size_t)11U, (size_t)22U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, - v0_7.f6, v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, - v8_15.f3, v8_15.f4, v8_15.f5, v8_15.f6, v8_15.f7}}); -} - -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_11( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +void libcrux_ml_kem_vector_portable_deserialize_11( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_11( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_11(a); +void libcrux_ml_kem_vector_portable_deserialize_11_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_11(a, out); } KRML_MUSTINLINE uint8_t_x3 @@ -1717,68 +2006,93 @@ libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) { uint8_t r2 = libcrux_secrets_int_as_u8_f5( Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U & (int16_t)255); - return (KRML_CLITERAL(uint8_t_x3){.fst = r0, .snd = r1, .thd = r2}); + return (KRML_CLITERAL(uint8_t_x3){ + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(r0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(r1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(r2)}); } KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[24U]) { - uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)2U, - int16_t *)); - uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)2U, (size_t)4U, - int16_t *)); - uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)4U, (size_t)6U, - int16_t *)); - uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)6U, (size_t)8U, - int16_t *)); - uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)10U, - int16_t *)); - uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)10U, (size_t)12U, - int16_t *)); - uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)12U, (size_t)14U, - int16_t *)); - uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)14U, (size_t)16U, - int16_t *)); - ret[0U] = r0_2.fst; - ret[1U] = r0_2.snd; - ret[2U] = r0_2.thd; - ret[3U] = r3_5.fst; - ret[4U] = r3_5.snd; - ret[5U] = r3_5.thd; - ret[6U] = r6_8.fst; - ret[7U] = r6_8.snd; - ret[8U] = r6_8.thd; - ret[9U] = r9_11.fst; - ret[10U] = r9_11.snd; - ret[11U] = r9_11.thd; - ret[12U] = r12_14.fst; - ret[13U] = r12_14.snd; - ret[14U] = r12_14.thd; - ret[15U] = r15_17.fst; - ret[16U] = r15_17.snd; - ret[17U] = r15_17.thd; - ret[18U] = r18_20.fst; - ret[19U] = r18_20.snd; - ret[20U] = r18_20.thd; - ret[21U] = r21_23.fst; - ret[22U] = r21_23.snd; - ret[23U] = r21_23.thd; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x3 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)2U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + uint8_t_x3 uu____3 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)2U, (size_t)4U, + int16_t *)); + uint8_t uu____4 = uu____3.snd; + uint8_t uu____5 = uu____3.thd; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3.fst; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + uint8_t_x3 uu____6 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)4U, (size_t)6U, + int16_t *)); + uint8_t uu____7 = uu____6.snd; + uint8_t uu____8 = uu____6.thd; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6.fst; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + uint8_t_x3 uu____9 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)6U, (size_t)8U, + int16_t *)); + uint8_t uu____10 = uu____9.snd; + uint8_t uu____11 = uu____9.thd; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9.fst; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11; + uint8_t_x3 uu____12 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)10U, + int16_t *)); + uint8_t uu____13 = uu____12.snd; + uint8_t uu____14 = uu____12.thd; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12.fst; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + uint8_t_x3 uu____15 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)10U, (size_t)12U, + int16_t *)); + uint8_t uu____16 = uu____15.snd; + uint8_t uu____17 = uu____15.thd; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15.fst; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + uint8_t_x3 uu____18 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)12U, (size_t)14U, + int16_t *)); + uint8_t uu____19 = uu____18.snd; + uint8_t uu____20 = uu____18.thd; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18.fst; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; + Eurydice_slice_index(out, (size_t)20U, uint8_t, uint8_t *) = uu____20; + uint8_t_x3 uu____21 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)14U, (size_t)16U, + int16_t *)); + uint8_t uu____22 = uu____21.snd; + uint8_t uu____23 = uu____21.thd; + Eurydice_slice_index(out, (size_t)21U, uint8_t, uint8_t *) = uu____21.fst; + Eurydice_slice_index(out, (size_t)22U, uint8_t, uint8_t *) = uu____22; + Eurydice_slice_index(out, (size_t)23U, uint8_t, uint8_t *) = uu____23; } void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - uint8_t ret0[24U]; - libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_d2(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_12(a, out); } /** @@ -1786,9 +2100,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_12_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_12(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_12(a, out); } KRML_MUSTINLINE int16_t_x2 @@ -1805,48 +2119,74 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( return (KRML_CLITERAL(int16_t_x2){.fst = r0, .snd = r1}); } -KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { - int16_t_x2 v0_1 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)3U, uint8_t *)); - int16_t_x2 v2_3 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)3U, (size_t)6U, uint8_t *)); - int16_t_x2 v4_5 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)6U, (size_t)9U, uint8_t *)); - int16_t_x2 v6_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)9U, (size_t)12U, uint8_t *)); - int16_t_x2 v8_9 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)12U, (size_t)15U, uint8_t *)); - int16_t_x2 v10_11 = +KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_deserialize_12( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x2 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)3U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + int16_t_x2 uu____2 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)3U, (size_t)6U, uint8_t *)); + int16_t uu____3 = uu____2.snd; + out->elements[2U] = uu____2.fst; + out->elements[3U] = uu____3; + int16_t_x2 uu____4 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)6U, (size_t)9U, uint8_t *)); + int16_t uu____5 = uu____4.snd; + out->elements[4U] = uu____4.fst; + out->elements[5U] = uu____5; + int16_t_x2 uu____6 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)9U, (size_t)12U, uint8_t *)); + int16_t uu____7 = uu____6.snd; + out->elements[6U] = uu____6.fst; + out->elements[7U] = uu____7; + int16_t_x2 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)12U, (size_t)15U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + int16_t_x2 uu____10 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)15U, (size_t)18U, uint8_t *)); - int16_t_x2 v12_13 = + int16_t uu____11 = uu____10.snd; + out->elements[10U] = uu____10.fst; + out->elements[11U] = uu____11; + int16_t_x2 uu____12 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)18U, (size_t)21U, uint8_t *)); - int16_t_x2 v14_15 = + int16_t uu____13 = uu____12.snd; + out->elements[12U] = uu____12.fst; + out->elements[13U] = uu____13; + int16_t_x2 uu____14 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)21U, (size_t)24U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_1.fst, v0_1.snd, v2_3.fst, v2_3.snd, v4_5.fst, - v4_5.snd, v6_7.fst, v6_7.snd, v8_9.fst, v8_9.snd, - v10_11.fst, v10_11.snd, v12_13.fst, v12_13.snd, - v14_15.fst, v14_15.snd}}); + int16_t uu____15 = uu____14.snd; + out->elements[14U] = uu____14.fst; + out->elements[15U] = uu____15; } -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_12( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +void libcrux_ml_kem_vector_portable_deserialize_12( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_12( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_12(a); +void libcrux_ml_kem_vector_portable_deserialize_12_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_12(a, out); } KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( @@ -1855,8 +2195,8 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U; i++) { size_t i0 = i; - int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U, - uint8_t, uint8_t *); + int16_t b1 = + (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U, uint8_t, uint8_t *); int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U, uint8_t, uint8_t *); int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U, @@ -1888,16 +2228,6 @@ size_t libcrux_ml_kem_vector_portable_rej_sample_b8(Eurydice_slice a, return libcrux_ml_kem_vector_portable_sampling_rej_sample(a, out); } -/** -This function found in impl {core::clone::Clone for -libcrux_ml_kem::vector::portable::vector_type::PortableVector} -*/ -inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_clone_9c( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) { - return self[0U]; -} - /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1909,7 +2239,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_d6_ea(void) { +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_d6_df(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector repeat_expression[16U]; @@ -1926,19 +2256,19 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_d6_ea(void) { This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::serialize::deserialize_ring_elements_reduced_out::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::validate_public_key::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.call_mut_0b with -types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const -generics +A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key.call_mut_00 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 4 +- PUBLIC_KEY_SIZE= 1568 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_0b_d0( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_00_ff( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -1953,26 +2283,26 @@ libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_to_reduced_ring_element_ea(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_to_reduced_ring_element_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_cond_subtract_3329_b8(coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_cond_subtract_3329_b8(&re->coefficients[i0]); } - return re; } /** - See [deserialize_ring_elements_reduced_out]. + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. */ /** A monomorphic instance of @@ -1981,8 +2311,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 */ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_d0( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + Eurydice_slice public_key, Eurydice_slice deserialized_pk) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -1993,48 +2322,27 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_d0( i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t *); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - deserialize_to_reduced_ring_element_ea(ring_element); - deserialized_pk[i0] = uu____0; + deserialize_to_reduced_ring_element_df( + ring_element, + &Eurydice_slice_index( + deserialized_pk, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } } -/** - This function deserializes ring elements and reduces the result by the field - modulus. - - This function MUST NOT be used on secret inputs. -*/ -/** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- K= 4 -*/ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_d0( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - deserialized_pk[i] = call_mut_0b_d0(&lvalue);); - deserialize_ring_elements_reduced_d0(public_key, deserialized_pk); - memcpy( - ret, deserialized_pk, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); -} - /** A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_modulus with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -to_unsigned_field_modulus_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_to_unsigned_representative_b8(a); +static KRML_MUSTINLINE void to_unsigned_field_modulus_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable_to_unsigned_representative_b8(a[0U]); + out[0U] = uu____0; } /** @@ -2043,21 +2351,18 @@ libcrux_ml_kem.serialize.serialize_uncompressed_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void serialize_uncompressed_ring_element_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[384U]) { - uint8_t serialized[384U] = {0U}; +static KRML_MUSTINLINE void serialize_uncompressed_ring_element_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - to_unsigned_field_modulus_ea(re->coefficients[i0]); - uint8_t bytes[24U]; - libcrux_ml_kem_vector_portable_serialize_12_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)24U * i0, - (size_t)24U * i0 + (size_t)24U, uint8_t *), - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); + to_unsigned_field_modulus_df(&re->coefficients[i0], scratch); + libcrux_ml_kem_vector_portable_serialize_12_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)24U * i0, + (size_t)24U * i0 + (size_t)24U, uint8_t *)); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } /** @@ -2070,8 +2375,8 @@ with const generics - K= 4 */ static KRML_MUSTINLINE void serialize_vector_d0( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, - Eurydice_slice out) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -2081,14 +2386,12 @@ static KRML_MUSTINLINE void serialize_vector_d0( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = key[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *); - uint8_t ret[384U]; - serialize_uncompressed_ring_element_ea(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)384U, ret, uint8_t), uint8_t); + serialize_uncompressed_ring_element_df( + &re, scratch, + Eurydice_slice_subslice3( + out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *)); } } @@ -2104,39 +2407,23 @@ with const generics */ static KRML_MUSTINLINE void serialize_public_key_mut_ff( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t *serialized) { + Eurydice_slice seed_for_a, Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { serialize_vector_d0( t_as_ntt, - Eurydice_array_to_subslice3( + Eurydice_slice_subslice3( serialized, (size_t)0U, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)4U), - uint8_t *)); + uint8_t *), + scratch); Eurydice_slice_copy( - Eurydice_array_to_subslice_from( - (size_t)1568U, serialized, + Eurydice_slice_subslice_from( + serialized, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)4U), uint8_t, size_t, uint8_t[]), seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics -- K= 4 -- PUBLIC_KEY_SIZE= 1568 -*/ -static KRML_MUSTINLINE void serialize_public_key_ff( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t ret[1568U]) { - uint8_t public_key_serialized[1568U] = {0U}; - serialize_public_key_mut_ff(t_as_ntt, seed_for_a, public_key_serialized); - memcpy(ret, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); -} - /** Validate an ML-KEM public key. @@ -2153,38 +2440,34 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_ff(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[4U]; - deserialize_ring_elements_reduced_out_d0( - Eurydice_array_to_subslice_to( - (size_t)1568U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)4U), - uint8_t, size_t, uint8_t[]), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = deserialized_pk; - uint8_t public_key_serialized[1568U]; - serialize_public_key_ff( - uu____0, - Eurydice_array_to_subslice_from( - (size_t)1568U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)4U), - uint8_t, size_t, uint8_t[]), - public_key_serialized); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + deserialized_pk[i] = call_mut_00_ff(&lvalue);); + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)1568U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)4U), + uint8_t, size_t, uint8_t[]); + deserialize_ring_elements_reduced_d0( + uu____0, Eurydice_array_to_slice( + (size_t)4U, deserialized_pk, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + uint8_t public_key_serialized[1568U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = deserialized_pk; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( + (size_t)1568U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)4U), + uint8_t, size_t, uint8_t[]); + serialize_public_key_mut_ff( + uu____1, uu____2, + Eurydice_array_to_slice((size_t)1568U, public_key_serialized, uint8_t), + &scratch); return Eurydice_array_eq((size_t)1568U, public_key, public_key_serialized, uint8_t); } -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.H_4a -with const generics -- K= 4 -*/ -static inline void H_4a_ac(Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_portable_H(input, ret); -} - /** Validate an ML-KEM private key. @@ -2192,18 +2475,19 @@ static inline void H_4a_ac(Eurydice_slice input, uint8_t ret[32U]) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key_only -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - SECRET_KEY_SIZE= 3168 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_only_60( +bool libcrux_ml_kem_ind_cca_validate_private_key_only_a7( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key) { - uint8_t t[32U]; - H_4a_ac(Eurydice_array_to_subslice3( - private_key->value, (size_t)384U * (size_t)4U, - (size_t)768U * (size_t)4U + (size_t)32U, uint8_t *), - t); + uint8_t t[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_H_6e( + Eurydice_array_to_subslice3(private_key->value, (size_t)384U * (size_t)4U, + (size_t)768U * (size_t)4U + (size_t)32U, + uint8_t *), + Eurydice_array_to_slice((size_t)32U, t, uint8_t)); Eurydice_slice expected = Eurydice_array_to_subslice3( private_key->value, (size_t)768U * (size_t)4U + (size_t)32U, (size_t)768U * (size_t)4U + (size_t)64U, uint8_t *); @@ -2219,16 +2503,16 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_only_60( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - SECRET_KEY_SIZE= 3168 - CIPHERTEXT_SIZE= 1568 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_b5( +bool libcrux_ml_kem_ind_cca_validate_private_key_f5( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *_ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_60(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_a7(private_key); } /** @@ -2256,7 +2540,7 @@ static IndCpaPrivateKeyUnpacked_af default_70_d0(void) { IndCpaPrivateKeyUnpacked_af lit; libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - repeat_expression[i] = ZERO_d6_ea();); + repeat_expression[i] = ZERO_d6_df();); memcpy( lit.secret_as_ntt, repeat_expression, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); @@ -2268,74 +2552,57 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.IndCpaPublicKeyUnpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - $4size_t +- $16size_t */ -typedef struct IndCpaPublicKeyUnpacked_af_s { +typedef struct IndCpaPublicKeyUnpacked_84_s { libcrux_ml_kem_polynomial_PolynomialRingElement_1d t_as_ntt[4U]; uint8_t seed_for_A[32U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[4U][4U]; -} IndCpaPublicKeyUnpacked_af; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[16U]; +} IndCpaPublicKeyUnpacked_84; /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_8b +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_50 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 +- K_SQUARED= 16 */ -static IndCpaPublicKeyUnpacked_af default_8b_d0(void) { +static IndCpaPublicKeyUnpacked_84 default_50_ff(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - uu____0[i] = ZERO_d6_ea();); + uu____0[i] = ZERO_d6_df();); uint8_t uu____1[32U] = {0U}; - IndCpaPublicKeyUnpacked_af lit; + IndCpaPublicKeyUnpacked_84 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression0[4U][4U]; - KRML_MAYBE_FOR4( - i0, (size_t)0U, (size_t)4U, (size_t)1U, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - repeat_expression[i] = ZERO_d6_ea();); - memcpy(repeat_expression0[i0], repeat_expression, - (size_t)4U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));); - memcpy(lit.A, repeat_expression0, - (size_t)4U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[4U])); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[16U]; + KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, + repeat_expression[i] = ZERO_d6_df();); + memcpy( + lit.A, repeat_expression, + (size_t)16U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); return lit; } -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.G_4a -with const generics -- K= 4 -*/ -static inline void G_4a_ac(Eurydice_slice input, uint8_t ret[64U]) { - libcrux_ml_kem_hash_functions_portable_G(input, ret); -} - /** This function found in impl {libcrux_ml_kem::variant::Variant for libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.cpa_keygen_seed_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 */ -static KRML_MUSTINLINE void cpa_keygen_seed_39_03( - Eurydice_slice key_generation_seed, uint8_t ret[64U]) { +static KRML_MUSTINLINE void cpa_keygen_seed_39_56( + Eurydice_slice key_generation_seed, Eurydice_slice out) { uint8_t seed[33U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_subslice3( @@ -2344,88 +2611,8 @@ static KRML_MUSTINLINE void cpa_keygen_seed_39_03( key_generation_seed, uint8_t); seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = (uint8_t)(size_t)4U; - uint8_t ret0[64U]; - G_4a_ac(Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PortableHash -with const generics -- $4size_t -*/ -typedef struct PortableHash_44_s { - libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; -} PortableHash_44; - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics -- K= 4 -*/ -static inline PortableHash_44 shake128_init_absorb_final_ac( - uint8_t (*input)[34U]) { - PortableHash_44 shake128_state; - libcrux_sha3_generic_keccak_KeccakState_17 repeat_expression[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - repeat_expression[i] = - libcrux_sha3_portable_incremental_shake128_init();); - memcpy(shake128_state.shake128_state, repeat_expression, - (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state.shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t));); - return shake128_state; -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_4a with const -generics -- K= 4 -*/ -static inline PortableHash_44 shake128_init_absorb_final_4a_ac( - uint8_t (*input)[34U]) { - return shake128_init_absorb_final_ac(input); -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics -- K= 4 -*/ -static inline void shake128_squeeze_first_three_blocks_ac( - PortableHash_44 *st, uint8_t ret[4U][504U]) { - uint8_t out[4U][504U] = {{0U}}; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t));); - memcpy(ret, out, (size_t)4U * sizeof(uint8_t[504U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_4a -with const generics -- K= 4 -*/ -static inline void shake128_squeeze_first_three_blocks_4a_ac( - PortableHash_44 *self, uint8_t ret[4U][504U]) { - shake128_squeeze_first_three_blocks_ac(self, ret); + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)33U, seed, uint8_t), out); } /** @@ -2477,69 +2664,46 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - N= 504 */ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff( - uint8_t (*randomness)[504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[504U], uint8_t(*)[504U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3( - out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t *)); + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, + int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = - sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } }); bool done = true; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; }); return done; } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const -generics -- K= 4 -*/ -static inline void shake128_squeeze_next_block_ac(PortableHash_44 *st, - uint8_t ret[4U][168U]) { - uint8_t out[4U][168U] = {{0U}}; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t));); - memcpy(ret, out, (size_t)4U * sizeof(uint8_t[168U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_4a with const -generics -- K= 4 -*/ -static inline void shake128_squeeze_next_block_4a_ac(PortableHash_44 *self, - uint8_t ret[4U][168U]) { - shake128_squeeze_next_block_ac(self, ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -2589,54 +2753,79 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - N= 168 */ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ff0( - uint8_t (*randomness)[168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[168U], uint8_t(*)[168U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3( - out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t *)); + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, + int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = - sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } }); bool done = true; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; }); return done; } /** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics - +A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 4 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d ZERO_ea(void) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - repeat_expression[16U]; - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, - repeat_expression[i] = libcrux_ml_kem_vector_portable_ZERO_b8();); - memcpy(lit.coefficients, repeat_expression, - (size_t)16U * - sizeof(libcrux_ml_kem_vector_portable_vector_type_PortableVector)); - return lit; +static KRML_MUSTINLINE void sample_from_xof_57( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PortableHash xof_state = + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + seeds); + uint8_t randomness[4U][504U] = {{0U}}; + uint8_t randomness_blocksize[4U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + &xof_state, + Eurydice_array_to_slice((size_t)4U, randomness, uint8_t[504U])); + bool done = sample_from_uniform_distribution_next_ff( + Eurydice_array_to_slice((size_t)4U, randomness, uint8_t[504U]), + sampled_coefficients, out); + while (true) { + if (done) { + break; + } else { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + &xof_state, Eurydice_array_to_slice((size_t)4U, randomness_blocksize, + uint8_t[168U])); + done = sample_from_uniform_distribution_next_ff0( + Eurydice_array_to_slice((size_t)4U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); + } + } } /** @@ -2645,19 +2834,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -from_i16_array_ea(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_ea(); +static KRML_MUSTINLINE void from_i16_array_df( + Eurydice_slice a, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_from_i16_array_b8( - Eurydice_slice_subslice3(a, i0 * (size_t)16U, - (i0 + (size_t)1U) * (size_t)16U, - int16_t *)); - result.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice_subslice3(a, i0 * (size_t)16U, + (i0 + (size_t)1U) * (size_t)16U, int16_t *), + &result->coefficients[i0]); } - return result; } /** @@ -2671,137 +2857,64 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -from_i16_array_d6_ea(Eurydice_slice a) { - return from_i16_array_ea(a); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics -- K= 4 -*/ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_e7_2b( - int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return from_i16_array_d6_ea( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); -} - -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics -- K= 4 -*/ -static KRML_MUSTINLINE void sample_from_xof_2b( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { - size_t sampled_coefficients[4U] = {0U}; - int16_t out[4U][272U] = {{0U}}; - PortableHash_44 xof_state = shake128_init_absorb_final_4a_ac(seeds); - uint8_t randomness0[4U][504U]; - shake128_squeeze_first_three_blocks_4a_ac(&xof_state, randomness0); - bool done = sample_from_uniform_distribution_next_ff( - randomness0, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[4U][168U]; - shake128_squeeze_next_block_4a_ac(&xof_state, randomness); - done = sample_from_uniform_distribution_next_ff0( - randomness, sampled_coefficients, out); - } - } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[4U][272U]; - memcpy(copy_of_out, out, (size_t)4U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - ret0[i] = call_mut_e7_2b(copy_of_out[i]);); - memcpy( - ret, ret0, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); +static KRML_MUSTINLINE void from_i16_array_d6_df( + Eurydice_slice a, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { + from_i16_array_df(a, out); } /** A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 */ -static KRML_MUSTINLINE void sample_matrix_A_2b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*A_transpose)[4U], - uint8_t *seed, bool transpose) { +static KRML_MUSTINLINE void sample_matrix_A_57(Eurydice_slice A_transpose, + uint8_t *seed, bool transpose) { KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; - uint8_t seeds[4U][34U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *);); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + uint8_t seeds[4U][34U]; KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sampled[4U]; - sample_from_xof_2b(seeds, sampled); + size_t sampled_coefficients[4U] = {0U}; int16_t out[4U][272U] = {{0U}}; + sample_from_xof_57( + Eurydice_array_to_slice((size_t)4U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)4U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)4U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)4U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); + Eurydice_array_to_slice((size_t)4U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + from_i16_array_d6_df( + uu____1, + &Eurydice_slice_index( + A_transpose, j * (size_t)4U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + from_i16_array_d6_df( + uu____2, + &Eurydice_slice_index( + A_transpose, i1 * (size_t)4U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } }); } -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN -with const generics -- K= 4 -- LEN= 128 -*/ -static inline void PRFxN_44(uint8_t (*input)[33U], uint8_t ret[4U][128U]) { - uint8_t out[4U][128U] = {{0U}}; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));); - memcpy(ret, out, (size_t)4U * sizeof(uint8_t[128U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN_4a -with const generics -- K= 4 -- LEN= 128 -*/ -static inline void PRFxN_4a_44(uint8_t (*input)[33U], uint8_t ret[4U][128U]) { - PRFxN_44(input, ret); -} - /** Given a series of uniformly random bytes in `randomness`, for some number `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring @@ -2857,9 +2970,8 @@ libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -sample_from_binomial_distribution_2_ea(Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; +static KRML_MUSTINLINE void sample_from_binomial_distribution_2_df( + Eurydice_slice randomness, Eurydice_slice sampled_i16s) { for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; @@ -2889,11 +3001,10 @@ sample_from_binomial_distribution_2_ea(Eurydice_slice randomness) { int16_t outcome_2 = (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); size_t offset = (size_t)(outcome_set0 >> 2U); - sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; + Eurydice_slice_index(sampled_i16s, (size_t)8U * chunk_number + offset, + int16_t, int16_t *) = outcome_1 - outcome_2; } } - return from_i16_array_d6_ea( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -2902,9 +3013,10 @@ libcrux_ml_kem.sampling.sample_from_binomial_distribution with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - ETA= 2 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -sample_from_binomial_distribution_a0(Eurydice_slice randomness) { - return sample_from_binomial_distribution_2_ea(randomness); +static KRML_MUSTINLINE void sample_from_binomial_distribution_a0( + Eurydice_slice randomness, int16_t *output) { + sample_from_binomial_distribution_2_df( + randomness, Eurydice_array_to_slice((size_t)256U, output, int16_t)); } /** @@ -2913,26 +3025,31 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_7_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { +static KRML_MUSTINLINE void ntt_at_layer_7_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t step = VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; i < step; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - re->coefficients[j + step], (int16_t)-1600); - re->coefficients[j + step] = - libcrux_ml_kem_vector_portable_sub_b8(re->coefficients[j], &t); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = - libcrux_ml_kem_vector_portable_add_b8(re->coefficients[j], &t); - re->coefficients[j] = uu____1; + scratch[0U] = re->coefficients[j + step]; + libcrux_ml_kem_vector_portable_multiply_by_constant_b8(scratch, + (int16_t)-1600); + re->coefficients[j + step] = re->coefficients[j]; + libcrux_ml_kem_vector_portable_add_b8(&re->coefficients[j], scratch); + libcrux_ml_kem_vector_portable_sub_b8(&re->coefficients[j + step], scratch); } } -typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2_s { - libcrux_ml_kem_vector_portable_vector_type_PortableVector fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector snd; -} libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2; +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.montgomery_multiply_fe +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE void montgomery_multiply_fe_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t fer) { + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8(v, fer); +} /** A monomorphic instance of libcrux_ml_kem.ntt.ntt_layer_int_vec_step @@ -2940,20 +3057,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 - ntt_layer_int_vec_step_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - libcrux_ml_kem_vector_portable_vector_type_PortableVector b, - int16_t zeta_r) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8(b, - zeta_r); - b = libcrux_ml_kem_vector_portable_sub_b8(a, &t); - a = libcrux_ml_kem_vector_portable_add_b8(a, &t); - return (KRML_CLITERAL( - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){.fst = a, - .snd = b}); +static KRML_MUSTINLINE void ntt_layer_int_vec_step_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *coefficients, + size_t a, size_t b, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + int16_t zeta_r) { + scratch[0U] = coefficients[b]; + montgomery_multiply_fe_df(scratch, zeta_r); + coefficients[b] = coefficients[a]; + libcrux_ml_kem_vector_portable_add_b8(&coefficients[a], scratch); + libcrux_ml_kem_vector_portable_sub_b8(&coefficients[b], scratch); } /** @@ -2962,26 +3075,21 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_4_plus_ea( +static KRML_MUSTINLINE void ntt_at_layer_4_plus_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, - size_t layer) { + size_t layer, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = step / (size_t)16U; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = offset / (size_t)16U; - size_t step_vec = step / (size_t)16U; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = - ntt_layer_int_vec_step_ea(re->coefficients[j], - re->coefficients[j + step_vec], - zeta(zeta_i[0U])); - libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + ntt_layer_int_vec_step_df(re->coefficients, a_offset + j, b_offset + j, + scratch, zeta(zeta_i[0U])); } } } @@ -2992,15 +3100,12 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_3_ea( +static KRML_MUSTINLINE void ntt_at_layer_3_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - re->coefficients[round], zeta(zeta_i[0U])); - re->coefficients[round] = uu____0;); + KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + &re->coefficients[round], zeta(zeta_i[0U]));); } /** @@ -3009,14 +3114,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_2_ea( +static KRML_MUSTINLINE void ntt_at_layer_2_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - re->coefficients[round], zeta(zeta_i[0U]), - zeta(zeta_i[0U] + (size_t)1U)); + libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + &re->coefficients[round], zeta(zeta_i[0U]), + zeta(zeta_i[0U] + (size_t)1U)); zeta_i[0U] = zeta_i[0U] + (size_t)1U;); } @@ -3026,16 +3130,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_1_ea( +static KRML_MUSTINLINE void ntt_at_layer_1_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - re->coefficients[round], zeta(zeta_i[0U]), - zeta(zeta_i[0U] + (size_t)1U), zeta(zeta_i[0U] + (size_t)2U), - zeta(zeta_i[0U] + (size_t)3U)); + libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + &re->coefficients[round], zeta(zeta_i[0U]), + zeta(zeta_i[0U] + (size_t)1U), zeta(zeta_i[0U] + (size_t)2U), + zeta(zeta_i[0U] + (size_t)3U)); zeta_i[0U] = zeta_i[0U] + (size_t)3U;); } @@ -3045,14 +3148,11 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void poly_barrett_reduce_ea( +static KRML_MUSTINLINE void poly_barrett_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_barrett_reduce_b8( - myself->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[i0]); } } @@ -3067,9 +3167,9 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void poly_barrett_reduce_d6_ea( +static KRML_MUSTINLINE void poly_barrett_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { - poly_barrett_reduce_ea(self); + poly_barrett_reduce_df(self); } /** @@ -3078,17 +3178,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { - ntt_at_layer_7_ea(re); +static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + ntt_at_layer_7_df(re, scratch); size_t zeta_i = (size_t)1U; - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U); - ntt_at_layer_3_ea(&zeta_i, re); - ntt_at_layer_2_ea(&zeta_i, re); - ntt_at_layer_1_ea(&zeta_i, re); - poly_barrett_reduce_d6_ea(re); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch); + ntt_at_layer_3_df(&zeta_i, re); + ntt_at_layer_2_df(&zeta_i, re); + ntt_at_layer_1_df(&zeta_i, re); + poly_barrett_reduce_d6_df(re); } /** @@ -3098,28 +3199,46 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_ea( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - ETA= 2 - ETA_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE= 512 */ -static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re_as_ntt, - uint8_t *prf_input, uint8_t domain_separator) { +static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_40( + Eurydice_slice re_as_ntt, uint8_t *prf_input, uint8_t domain_separator, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[4U][33U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *);); + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); domain_separator = libcrux_ml_kem_utils_prf_input_inc_ac(prf_inputs, domain_separator); - uint8_t prf_outputs[4U][128U]; - PRFxN_4a_44(prf_inputs, prf_outputs); + uint8_t prf_outputs[512U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_array_to_slice((size_t)4U, prf_inputs, uint8_t[33U]), + Eurydice_array_to_slice((size_t)512U, prf_outputs, uint8_t), + (size_t)128U); KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - re_as_ntt[i0] = sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - ntt_binomially_sampled_ring_element_ea(&re_as_ntt[i0]);); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + int16_t sample_buffer[256U] = {0U}; + sample_from_binomial_distribution_a0(randomness, sample_buffer); + from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + ntt_binomially_sampled_ring_element_df( + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch);); return domain_separator; } @@ -3128,22 +3247,39 @@ This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@3]> for libcrux_ml_kem::ind_cpa::generate_keypair_unpacked::closure[TraitClause@0, TraitClause@1, -TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +Scheme, K, K_SQUARED, ETA1, ETA1_RANDOMNESS_SIZE, +PRF_OUTPUT_SIZE1>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3, +TraitClause@4, TraitClause@5]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_73 with types +libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_ae with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_73_1c( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_ae_b8( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); +} + +/** +A monomorphic instance of libcrux_ml_kem.matrix.entry +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics +- K= 4 +*/ +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d *entry_d0( + Eurydice_slice matrix, size_t i, size_t j) { + return &Eurydice_slice_index( + matrix, i * (size_t)4U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *); } /** @@ -3179,22 +3315,19 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -ntt_multiply_ea(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = ZERO_ea(); +static KRML_MUSTINLINE void ntt_multiply_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_ntt_multiply_b8( - &myself->coefficients[i0], &rhs->coefficients[i0], - zeta((size_t)64U + (size_t)4U * i0), - zeta((size_t)64U + (size_t)4U * i0 + (size_t)1U), - zeta((size_t)64U + (size_t)4U * i0 + (size_t)2U), - zeta((size_t)64U + (size_t)4U * i0 + (size_t)3U)); - out.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_ntt_multiply_b8( + &myself->coefficients[i0], &rhs->coefficients[i0], + &out->coefficients[i0], zeta((size_t)64U + (size_t)4U * i0), + zeta((size_t)64U + (size_t)4U * i0 + (size_t)1U), + zeta((size_t)64U + (size_t)4U * i0 + (size_t)2U), + zeta((size_t)64U + (size_t)4U * i0 + (size_t)3U)); } - return out; } /** @@ -3208,10 +3341,11 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -ntt_multiply_d6_ea(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - return ntt_multiply_ea(self, rhs); +static KRML_MUSTINLINE void ntt_multiply_d6_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { + ntt_multiply_df(self, rhs, out); } /** @@ -3235,10 +3369,8 @@ static KRML_MUSTINLINE void add_to_ring_element_d0( libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &rhs->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[i0], + &rhs->coefficients[i0]); } } @@ -3265,10 +3397,9 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -to_standard_domain_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector) { - return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( +static KRML_MUSTINLINE void to_standard_domain_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vector) { + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( vector, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -3279,20 +3410,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void add_standard_error_reduce_ea( +static KRML_MUSTINLINE void add_standard_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - to_standard_domain_ea(myself->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, - &error->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum); - myself->coefficients[j] = red; + to_standard_domain_df(&myself->coefficients[j]); + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[j]); } } @@ -3307,10 +3433,10 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void add_standard_error_reduce_d6_ea( +static KRML_MUSTINLINE void add_standard_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { - add_standard_error_reduce_ea(self, error); + add_standard_error_reduce_df(self, error); } /** @@ -3324,36 +3450,20 @@ with const generics */ static KRML_MUSTINLINE void compute_As_plus_e_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix_A)[4U], + Eurydice_slice matrix_A, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)4U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[4U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[4U]); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_ea(); - t_as_ntt[i0] = uu____0; - for (size_t i1 = (size_t)0U; - i1 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i1++) { - size_t j = i1; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = - &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(matrix_element, &s_as_ntt[j]); - add_to_ring_element_d6_d0(&t_as_ntt[i0], &product); - } - add_standard_error_reduce_d6_ea(&t_as_ntt[i0], &error_as_ntt[i0]); - } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_df(); + t_as_ntt[i0] = uu____0; KRML_MAYBE_FOR4( + i1, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i1; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = + entry_d0(matrix_A, i0, j); + ntt_multiply_d6_df(uu____1, &s_as_ntt[j], scratch); + add_to_ring_element_d6_d0(&t_as_ntt[i0], scratch);); + add_standard_error_reduce_d6_df(&t_as_ntt[i0], &error_as_ntt[i0]);); } /** @@ -3400,41 +3510,56 @@ static KRML_MUSTINLINE void compute_As_plus_e_d0( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 */ -static KRML_MUSTINLINE void generate_keypair_unpacked_1c( +static KRML_MUSTINLINE void generate_keypair_unpacked_b8( Eurydice_slice key_generation_seed, IndCpaPrivateKeyUnpacked_af *private_key, - IndCpaPublicKeyUnpacked_af *public_key) { - uint8_t hashed[64U]; - cpa_keygen_seed_39_03(key_generation_seed, hashed); + IndCpaPublicKeyUnpacked_84 *public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + uint8_t hashed[64U] = {0U}; + cpa_keygen_seed_39_56(key_generation_seed, + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[4U] = - public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)16U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed_for_A, ret); - sample_matrix_A_2b(uu____1, ret, true); + sample_matrix_A_57(uu____1, ret, true); uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(seed_for_secret_and_error, prf_input); - uint8_t domain_separator = - sample_vector_cbd_then_ntt_3b(private_key->secret_as_ntt, prf_input, 0U); + uint8_t domain_separator = sample_vector_cbd_then_ntt_40( + Eurydice_array_to_slice( + (size_t)4U, private_key->secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_as_ntt[i] = call_mut_73_1c(&lvalue);); - sample_vector_cbd_then_ntt_3b(error_as_ntt, prf_input, domain_separator); - compute_As_plus_e_d0(public_key->t_as_ntt, public_key->A, - private_key->secret_as_ntt, error_as_ntt); + error_as_ntt[i] = call_mut_ae_b8(&lvalue);); + sample_vector_cbd_then_ntt_40( + Eurydice_array_to_slice( + (size_t)4U, error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, domain_separator, scratch->coefficients); + compute_As_plus_e_d0(public_key->t_as_ntt, + Eurydice_array_to_slice( + (size_t)16U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + private_key->secret_as_ntt, error_as_ntt, scratch); uint8_t uu____2[32U]; core_result_Result_fb dst; Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U], @@ -3451,54 +3576,48 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_unpacked_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 +- K_SQUARED= 16 - PRIVATE_KEY_SIZE= 1536 - PUBLIC_KEY_SIZE= 1568 */ -static libcrux_ml_kem_utils_extraction_helper_Keypair1024 -serialize_unpacked_secret_key_00(IndCpaPublicKeyUnpacked_af *public_key, - IndCpaPrivateKeyUnpacked_af *private_key) { - uint8_t public_key_serialized[1568U]; - serialize_public_key_ff( +static void serialize_unpacked_secret_key_2f( + IndCpaPublicKeyUnpacked_84 *public_key, + IndCpaPrivateKeyUnpacked_af *private_key, + Eurydice_slice serialized_private_key, Eurydice_slice serialized_public_key, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + serialize_public_key_mut_ff( public_key->t_as_ntt, Eurydice_array_to_slice((size_t)32U, public_key->seed_for_A, uint8_t), - public_key_serialized); - uint8_t secret_key_serialized[1536U] = {0U}; - serialize_vector_d0( - private_key->secret_as_ntt, - Eurydice_array_to_slice((size_t)1536U, secret_key_serialized, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_secret_key_serialized[1536U]; - memcpy(copy_of_secret_key_serialized, secret_key_serialized, - (size_t)1536U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_public_key_serialized[1568U]; - memcpy(copy_of_public_key_serialized, public_key_serialized, - (size_t)1568U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair1024 lit; - memcpy(lit.fst, copy_of_secret_key_serialized, - (size_t)1536U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_public_key_serialized, - (size_t)1568U * sizeof(uint8_t)); - return lit; + serialized_public_key, scratch); + serialize_vector_d0(private_key->secret_as_ntt, serialized_private_key, + scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - PRIVATE_KEY_SIZE= 1536 - PUBLIC_KEY_SIZE= 1568 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 */ -static KRML_MUSTINLINE libcrux_ml_kem_utils_extraction_helper_Keypair1024 -generate_keypair_ea0(Eurydice_slice key_generation_seed) { +static KRML_MUSTINLINE void generate_keypair_900( + Eurydice_slice key_generation_seed, + Eurydice_slice serialized_ind_cpa_private_key, + Eurydice_slice serialized_public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { IndCpaPrivateKeyUnpacked_af private_key = default_70_d0(); - IndCpaPublicKeyUnpacked_af public_key = default_8b_d0(); - generate_keypair_unpacked_1c(key_generation_seed, &private_key, &public_key); - return serialize_unpacked_secret_key_00(&public_key, &private_key); + IndCpaPublicKeyUnpacked_84 public_key = default_50_ff(); + generate_keypair_unpacked_b8(key_generation_seed, &private_key, &public_key, + scratch); + serialize_unpacked_secret_key_2f( + &public_key, &private_key, serialized_ind_cpa_private_key, + serialized_public_key, scratch->coefficients); } /** @@ -3506,12 +3625,12 @@ generate_keypair_ea0(Eurydice_slice key_generation_seed) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key_mut -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - SERIALIZED_KEY_LEN= 3168 */ -static KRML_MUSTINLINE void serialize_kem_secret_key_mut_60( +static KRML_MUSTINLINE void serialize_kem_secret_key_mut_a7( Eurydice_slice private_key, Eurydice_slice public_key, Eurydice_slice implicit_rejection_value, uint8_t *serialized) { size_t pointer = (size_t)0U; @@ -3533,41 +3652,23 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_60( uint8_t *), public_key, uint8_t); pointer = pointer + Eurydice_slice_len(public_key, uint8_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice3( - serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, - uint8_t *); - uint8_t ret[32U]; - H_4a_ac(public_key, ret); - Eurydice_slice_copy( - uu____6, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + public_key, + Eurydice_array_to_subslice3( + serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t *)); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = serialized; + uint8_t *uu____6 = serialized; + size_t uu____7 = pointer; size_t uu____8 = pointer; - size_t uu____9 = pointer; Eurydice_slice_copy( Eurydice_array_to_subslice3( - uu____7, uu____8, - uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uu____6, uu____7, + uu____8 + Eurydice_slice_len(implicit_rejection_value, uint8_t), uint8_t *), implicit_rejection_value, uint8_t); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] -with const generics -- K= 4 -- SERIALIZED_KEY_LEN= 3168 -*/ -static KRML_MUSTINLINE void serialize_kem_secret_key_60( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[3168U]) { - uint8_t out[3168U] = {0U}; - serialize_kem_secret_key_mut_60(private_key, public_key, - implicit_rejection_value, out); - memcpy(ret, out, (size_t)3168U * sizeof(uint8_t)); -} - /** Packed API @@ -3579,17 +3680,19 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_60( /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 */ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_150(uint8_t *randomness) { +libcrux_ml_kem_ind_cca_generate_keypair_e60(uint8_t *randomness) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( randomness, (size_t)0U, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t *); @@ -3597,14 +3700,15 @@ libcrux_ml_kem_ind_cca_generate_keypair_150(uint8_t *randomness) { (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_utils_extraction_helper_Keypair1024 uu____0 = - generate_keypair_ea0(ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1536U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1536U * sizeof(uint8_t)); - uint8_t public_key[1568U]; - memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof(uint8_t)); - uint8_t secret_key_serialized[3168U]; - serialize_kem_secret_key_60( + uint8_t ind_cpa_private_key[1536U] = {0U}; + uint8_t public_key[1568U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = ZERO_d6_df(); + generate_keypair_900( + ind_cpa_keypair_randomness, + Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t), &scratch); + uint8_t secret_key_serialized[3168U] = {0U}; + serialize_kem_secret_key_mut_a7( Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); @@ -3614,12 +3718,12 @@ libcrux_ml_kem_ind_cca_generate_keypair_150(uint8_t *randomness) { (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_83 private_key = libcrux_ml_kem_types_from_77_39(copy_of_secret_key_serialized); - libcrux_ml_kem_types_MlKemPrivateKey_83 uu____2 = private_key; + libcrux_ml_kem_types_MlKemPrivateKey_83 uu____1 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1568U]; memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_17_94( - uu____2, libcrux_ml_kem_types_from_fd_af(copy_of_public_key)); + uu____1, libcrux_ml_kem_types_from_fd_af(copy_of_public_key)); } /** @@ -3628,83 +3732,93 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 */ -static KRML_MUSTINLINE void entropy_preprocess_39_03(Eurydice_slice randomness, - uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - randomness, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void entropy_preprocess_39_56(Eurydice_slice randomness, + Eurydice_slice out) { + Eurydice_slice_copy(out, randomness, uint8_t); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::encapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +*/ +/** +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate.call_mut_c0 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics +- K= 4 +- K_SQUARED= 16 +- CIPHERTEXT_SIZE= 1568 +- PUBLIC_KEY_SIZE= 1568 +- T_AS_NTT_ENCODED_SIZE= 1536 +- C1_SIZE= 1408 +- C2_SIZE= 160 +- VECTOR_U_COMPRESSION_FACTOR= 11 +- VECTOR_V_COMPRESSION_FACTOR= 5 +- C1_BLOCK_SIZE= 352 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 +*/ +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_c0_d90( + void **_) { + return ZERO_d6_df(); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 +- K_SQUARED= 16 - T_AS_NTT_ENCODED_SIZE= 1536 */ -static KRML_MUSTINLINE void build_unpacked_public_key_mut_3f( +static KRML_MUSTINLINE void build_unpacked_public_key_mut_e2( Eurydice_slice public_key, - IndCpaPublicKeyUnpacked_af *unpacked_public_key) { + IndCpaPublicKeyUnpacked_84 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1536U, uint8_t, size_t, uint8_t[]); - deserialize_ring_elements_reduced_d0(uu____0, unpacked_public_key->t_as_ntt); + deserialize_ring_elements_reduced_d0( + uu____0, Eurydice_array_to_slice( + (size_t)4U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1536U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[4U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)16U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); - sample_matrix_A_2b(uu____1, ret, false); -} - -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics -- K= 4 -- T_AS_NTT_ENCODED_SIZE= 1536 -*/ -static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_af -build_unpacked_public_key_3f0(Eurydice_slice public_key) { - IndCpaPublicKeyUnpacked_af unpacked_public_key = default_8b_d0(); - build_unpacked_public_key_mut_3f(public_key, &unpacked_public_key); - return unpacked_public_key; + sample_matrix_A_57(uu____1, ret, false); } -/** -A monomorphic instance of K. -with types libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector[4size_t], -libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector - -*/ -typedef struct tuple_08_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d fst[4U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d snd; -} tuple_08; - /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} +K, K_SQUARED, C1_LEN, U_COMPRESSION_FACTOR, BLOCK_LEN, ETA1, +ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, PRF_OUTPUT_SIZE1, +PRF_OUTPUT_SIZE2>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_f1 +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_77 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 +- K_SQUARED= 16 - C1_LEN= 1408 - U_COMPRESSION_FACTOR= 11 - BLOCK_LEN= 352 @@ -3712,37 +3826,12 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_f1_85( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_77_fc( void **_) { - return ZERO_d6_ea(); -} - -/** -This function found in impl {core::ops::function::FnMut<(usize), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_dd -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics -- K= 4 -- C1_LEN= 1408 -- U_COMPRESSION_FACTOR= 11 -- BLOCK_LEN= 352 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 -- ETA2= 2 -- ETA2_RANDOMNESS_SIZE= 128 -*/ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_dd_85( - void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -3751,29 +3840,41 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_dd_85( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - ETA2_RANDOMNESS_SIZE= 128 - ETA2= 2 +- PRF_OUTPUT_SIZE= 512 */ -static KRML_MUSTINLINE uint8_t sample_ring_element_cbd_3b( - uint8_t *prf_input, uint8_t domain_separator, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1) { +static KRML_MUSTINLINE uint8_t +sample_ring_element_cbd_40(uint8_t *prf_input, uint8_t domain_separator, + Eurydice_slice error_1, int16_t *sample_buffer) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[4U][33U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *);); + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); domain_separator = libcrux_ml_kem_utils_prf_input_inc_ac(prf_inputs, domain_separator); - uint8_t prf_outputs[4U][128U]; - PRFxN_4a_44(prf_inputs, prf_outputs); + uint8_t prf_outputs[512U] = {0U}; + Eurydice_slice uu____1 = core_array___Array_T__N___as_slice( + (size_t)4U, prf_inputs, uint8_t[33U], Eurydice_slice); + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + uu____1, Eurydice_array_to_slice((size_t)512U, prf_outputs, uint8_t), + (size_t)128U); KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - error_1[i0] = uu____0;); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + sample_from_binomial_distribution_a0(randomness, sample_buffer); + from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + error_1, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *));); return domain_separator; } @@ -3782,42 +3883,50 @@ A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF with const generics - LEN= 128 */ -static inline void PRF_a6(Eurydice_slice input, uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); +static inline void PRF_a6(Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_6e with const generics -- K= 4 - LEN= 128 */ -static inline void PRF_4a_440(Eurydice_slice input, uint8_t ret[128U]) { - PRF_a6(input, ret); +static inline void PRF_6e_a6(Eurydice_slice input, Eurydice_slice out) { + PRF_a6(input, out); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for libcrux_ml_kem::matrix::compute_vector_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.call_mut_a8 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_88 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 +- K_SQUARED= 16 +- C1_LEN= 1408 +- U_COMPRESSION_FACTOR= 11 +- BLOCK_LEN= 352 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_a8_d0( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_88_fc( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -3826,16 +3935,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_1_ea( +static KRML_MUSTINLINE void invert_ntt_at_layer_1_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - re->coefficients[round], zeta(zeta_i[0U]), - zeta(zeta_i[0U] - (size_t)1U), zeta(zeta_i[0U] - (size_t)2U), - zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + &re->coefficients[round], zeta(zeta_i[0U]), + zeta(zeta_i[0U] - (size_t)1U), zeta(zeta_i[0U] - (size_t)2U), + zeta(zeta_i[0U] - (size_t)3U)); zeta_i[0U] = zeta_i[0U] - (size_t)3U;); } @@ -3845,14 +3953,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_2_ea( +static KRML_MUSTINLINE void invert_ntt_at_layer_2_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - re->coefficients[round], zeta(zeta_i[0U]), - zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + &re->coefficients[round], zeta(zeta_i[0U]), + zeta(zeta_i[0U] - (size_t)1U)); zeta_i[0U] = zeta_i[0U] - (size_t)1U;); } @@ -3862,15 +3969,12 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_3_ea( +static KRML_MUSTINLINE void invert_ntt_at_layer_3_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - re->coefficients[round], zeta(zeta_i[0U])); - re->coefficients[round] = uu____0;); + KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + &re->coefficients[round], zeta(zeta_i[0U]));); } /** @@ -3879,21 +3983,19 @@ libcrux_ml_kem.invert_ntt.inv_ntt_layer_int_vec_step_reduce with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 - inv_ntt_layer_int_vec_step_reduce_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - libcrux_ml_kem_vector_portable_vector_type_PortableVector b, - int16_t zeta_r) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b = - libcrux_ml_kem_vector_portable_sub_b8(b, &a); - a = libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_add_b8(a, &b)); - b = libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - a_minus_b, zeta_r); - return (KRML_CLITERAL( - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){.fst = a, - .snd = b}); +static KRML_MUSTINLINE void inv_ntt_layer_int_vec_step_reduce_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *coefficients, + size_t a, size_t b, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch, + int16_t zeta_r) { + scratch->coefficients[0U] = coefficients[a]; + scratch->coefficients[1U] = coefficients[b]; + libcrux_ml_kem_vector_portable_add_b8(&coefficients[a], + &scratch->coefficients[1U]); + libcrux_ml_kem_vector_portable_sub_b8(&coefficients[b], + scratch->coefficients); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&coefficients[a]); + montgomery_multiply_fe_df(&coefficients[b], zeta_r); } /** @@ -3902,28 +4004,22 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_ea( +static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, - size_t layer) { + size_t layer, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = + step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = - offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - size_t step_vec = - step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = - inv_ntt_layer_int_vec_step_reduce_ea(re->coefficients[j], - re->coefficients[j + step_vec], - zeta(zeta_i[0U])); - libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + inv_ntt_layer_int_vec_step_reduce_df(re->coefficients, a_offset + j, + b_offset + j, scratch, + zeta(zeta_i[0U])); } } } @@ -3935,17 +4031,18 @@ with const generics - K= 4 */ static KRML_MUSTINLINE void invert_ntt_montgomery_d0( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1_ea(&zeta_i, re); - invert_ntt_at_layer_2_ea(&zeta_i, re); - invert_ntt_at_layer_3_ea(&zeta_i, re); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_d6_ea(re); + invert_ntt_at_layer_1_df(&zeta_i, re); + invert_ntt_at_layer_2_df(&zeta_i, re); + invert_ntt_at_layer_3_df(&zeta_i, re); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)7U, scratch); + poly_barrett_reduce_d6_df(re); } /** @@ -3954,21 +4051,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void add_error_reduce_ea( +static KRML_MUSTINLINE void add_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - myself->coefficients[j], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, - &error->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &myself->coefficients[j], (int16_t)1441); + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[j]); } } @@ -3983,10 +4075,10 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void add_error_reduce_d6_ea( +static KRML_MUSTINLINE void add_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { - add_error_reduce_ea(self, error); + add_error_reduce_df(self, error); } /** @@ -3999,43 +4091,39 @@ with const generics - K= 4 */ static KRML_MUSTINLINE void compute_vector_u_d0( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*a_as_ntt)[4U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - result[i] = call_mut_a8_d0(&lvalue);); - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)4U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[4U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[4U]); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = a_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(a_element, &r_as_ntt[j]); - add_to_ring_element_d6_d0(&result[i1], &product); - } - invert_ntt_montgomery_d0(&result[i1]); - add_error_reduce_d6_ea(&result[i1], &error_1[i1]); - } - memcpy( - ret, result, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + Eurydice_slice a_as_ntt, Eurydice_slice r_as_ntt, Eurydice_slice error_1, + Eurydice_slice result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR4( + i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = + entry_d0(a_as_ntt, i1, j); + ntt_multiply_d6_df( + uu____0, + &Eurydice_slice_index( + r_as_ntt, j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + add_to_ring_element_d6_d0( + &Eurydice_slice_index( + result, i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch);); + invert_ntt_montgomery_d0( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + add_error_reduce_d6_df( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + &Eurydice_slice_index( + error_1, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *));); } /** @@ -4043,18 +4131,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void compress_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)10, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -4066,9 +4153,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 10 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_b8_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_ef(a); +static void compress_b8_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + compress_ef(a); } /** @@ -4076,18 +4163,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 11 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_c4(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void compress_c4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)11, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -4099,9 +4185,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 11 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_b8_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_c4(a); +static void compress_b8_c4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + compress_c4(a); } /** @@ -4111,22 +4197,21 @@ with const generics - OUT_LEN= 352 */ static KRML_MUSTINLINE void compress_then_serialize_11_54( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[352U]) { - uint8_t serialized[352U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_b8_c4( - libcrux_ml_kem_vector_portable_to_unsigned_representative_b8( - re->coefficients[i0])); - uint8_t bytes[22U]; - libcrux_ml_kem_vector_portable_serialize_11_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)22U * i0, - (size_t)22U * i0 + (size_t)22U, uint8_t *), - Eurydice_array_to_slice((size_t)22U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable_to_unsigned_representative_b8( + re->coefficients[i0]); + scratch[0U] = uu____0; + compress_b8_c4(scratch); + libcrux_ml_kem_vector_portable_serialize_11_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)22U * i0, + (size_t)22U * i0 + (size_t)22U, uint8_t *)); } - memcpy(ret, serialized, (size_t)352U * sizeof(uint8_t)); } /** @@ -4137,10 +4222,10 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - OUT_LEN= 352 */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_82( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[352U]) { - uint8_t uu____0[352U]; - compress_then_serialize_11_54(re, uu____0); - memcpy(ret, uu____0, (size_t)352U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + compress_then_serialize_11_54(re, serialized, scratch); } /** @@ -4157,7 +4242,8 @@ with const generics */ static KRML_MUSTINLINE void compress_then_serialize_u_2f( libcrux_ml_kem_polynomial_PolynomialRingElement_1d input[4U], - Eurydice_slice out) { + Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4167,22 +4253,21 @@ static KRML_MUSTINLINE void compress_then_serialize_u_2f( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * ((size_t)1408U / (size_t)4U), - (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U), uint8_t *); - uint8_t ret[352U]; - compress_then_serialize_ring_element_u_82(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)352U, ret, uint8_t), uint8_t); + compress_then_serialize_ring_element_u_82( + &re, + Eurydice_slice_subslice3( + out, i0 * ((size_t)1408U / (size_t)4U), + (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U), uint8_t *), + scratch); } } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 +- K_SQUARED= 16 - C1_LEN= 1408 - U_COMPRESSION_FACTOR= 11 - BLOCK_LEN= 352 @@ -4190,52 +4275,75 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -static KRML_MUSTINLINE tuple_08 -encrypt_c1_85(Eurydice_slice randomness, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix)[4U], - Eurydice_slice ciphertext) { +static KRML_MUSTINLINE void encrypt_c1_fc( + Eurydice_slice randomness, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(randomness, prf_input); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - r_as_ntt[i] = call_mut_f1_85(&lvalue);); - uint8_t domain_separator0 = - sample_vector_cbd_then_ntt_3b(r_as_ntt, prf_input, 0U); + uint8_t domain_separator0 = sample_vector_cbd_then_ntt_40( + r_as_ntt, prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_1[i] = call_mut_dd_85(&lvalue);); - uint8_t domain_separator = - sample_ring_element_cbd_3b(prf_input, domain_separator0, error_1); + error_1[i] = call_mut_77_fc(&lvalue);); + int16_t sampling_buffer[256U] = {0U}; + uint8_t domain_separator = sample_ring_element_cbd_40( + prf_input, domain_separator0, + Eurydice_array_to_slice( + (size_t)4U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + sampling_buffer); prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - PRF_4a_440(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), - prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = - sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + uint8_t prf_output[128U] = {0U}; + PRF_6e_a6(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + sample_from_binomial_distribution_a0( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t), + sampling_buffer); + from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sampling_buffer, int16_t), error_2); libcrux_ml_kem_polynomial_PolynomialRingElement_1d u[4U]; - compute_vector_u_d0(matrix, r_as_ntt, error_1, u); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[4U]; - memcpy( - uu____0, u, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - compress_then_serialize_u_2f(uu____0, ciphertext); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u[i] = call_mut_88_fc(&lvalue);); + compute_vector_u_d0( + Eurydice_array_to_slice( + (size_t)16U, matrix, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + r_as_ntt, + Eurydice_array_to_slice( + (size_t)4U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + Eurydice_array_to_slice( + (size_t)4U, u, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch); /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_r_as_ntt[4U]; - memcpy( - copy_of_r_as_ntt, r_as_ntt, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - tuple_08 lit; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_u[4U]; memcpy( - lit.fst, copy_of_r_as_ntt, + copy_of_u, u, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - lit.snd = error_2; - return lit; + compress_then_serialize_u_2f(copy_of_u, ciphertext, scratch->coefficients); +} + +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.decompress_1 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE void decompress_1_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_negate_b8(vec); + libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8(vec, + (int16_t)1665); } /** @@ -4244,22 +4352,16 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_message_ea(uint8_t *serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_then_decompress_message_df( + uint8_t *serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_compressed = - libcrux_ml_kem_vector_portable_deserialize_1_b8( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, - uint8_t *)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_1_b8( - coefficient_compressed); - re.coefficients[i0] = uu____0;); - return re; + libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *), + &re->coefficients[i0]); + decompress_1_df(&re->coefficients[i0]);); } /** @@ -4268,27 +4370,20 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -add_message_error_reduce_ea( +static KRML_MUSTINLINE void add_message_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - result.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum1 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &message->coefficients[i0]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum2 = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, &sum1); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum2); - result.coefficients[i0] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &result->coefficients[i0], (int16_t)1441); + scratch[0U] = myself->coefficients[i0]; + libcrux_ml_kem_vector_portable_add_b8(scratch, &message->coefficients[i0]); + libcrux_ml_kem_vector_portable_add_b8(&result->coefficients[i0], scratch); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&result->coefficients[i0]); } - return result; } /** @@ -4302,12 +4397,12 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -add_message_error_reduce_d6_ea( +static KRML_MUSTINLINE void add_message_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { - return add_message_error_reduce_ea(self, message, result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + add_message_error_reduce_df(self, message, result, scratch); } /** @@ -4319,19 +4414,24 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -compute_ring_element_v_d0( +static KRML_MUSTINLINE void compute_ring_element_v_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_ea(); - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_d6_d0(&result, &product);); - invert_ntt_montgomery_d0(&result); - return add_message_error_reduce_d6_ea(error_2, message, result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; ntt_multiply_d6_df( + &t_as_ntt[i0], + &Eurydice_slice_index( + r_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + add_to_ring_element_d6_d0(result, scratch);); + invert_ntt_montgomery_d0(result, scratch); + add_message_error_reduce_d6_df(error_2, message, result, + scratch->coefficients); } /** @@ -4339,18 +4439,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_d1(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void compress_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)4, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -4362,9 +4461,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 4 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_b8_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_d1(a); +static void compress_b8_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + compress_d1(a); } /** @@ -4373,19 +4472,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_4_ea( +static KRML_MUSTINLINE void compress_then_serialize_4_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, - Eurydice_slice serialized) { + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_b8_d1(to_unsigned_field_modulus_ea(re.coefficients[i0])); - uint8_t bytes[8U]; - libcrux_ml_kem_vector_portable_serialize_4_b8(coefficient, bytes); - Eurydice_slice_copy( + to_unsigned_field_modulus_df(&re.coefficients[i0], scratch); + compress_b8_d1(scratch); + libcrux_ml_kem_vector_portable_serialize_4_b8( + scratch, Eurydice_slice_subslice3(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t *), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); + (size_t)8U * i0 + (size_t)8U, uint8_t *)); } } @@ -4394,18 +4492,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 5 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_f4(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void compress_f4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)5, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -4417,9 +4514,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 5 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector compress_b8_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return compress_f4(a); +static void compress_b8_f4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + compress_f4(a); } /** @@ -4428,21 +4525,21 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_5_ea( +static KRML_MUSTINLINE void compress_then_serialize_5_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, - Eurydice_slice serialized) { + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients = - compress_b8_f4( - libcrux_ml_kem_vector_portable_to_unsigned_representative_b8( - re.coefficients[i0])); - uint8_t bytes[10U]; - libcrux_ml_kem_vector_portable_serialize_5_b8(coefficients, bytes); - Eurydice_slice_copy( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable_to_unsigned_representative_b8( + re.coefficients[i0]); + scratch[0U] = uu____0; + compress_b8_f4(scratch); + libcrux_ml_kem_vector_portable_serialize_5_b8( + scratch, Eurydice_slice_subslice3(serialized, (size_t)10U * i0, - (size_t)10U * i0 + (size_t)10U, uint8_t *), - Eurydice_array_to_slice((size_t)10U, bytes, uint8_t), uint8_t); + (size_t)10U * i0 + (size_t)10U, uint8_t *)); } } @@ -4455,8 +4552,9 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - OUT_LEN= 160 */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_00( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) { - compress_then_serialize_5_ea(re, out); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + compress_then_serialize_5_df(re, out, scratch); } /** @@ -4469,15 +4567,18 @@ with const generics */ static KRML_MUSTINLINE void encrypt_c2_00( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - uint8_t *message, Eurydice_slice ciphertext) { + uint8_t *message, Eurydice_slice ciphertext, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element = - deserialize_then_decompress_message_ea(message); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - compute_ring_element_v_d0(t_as_ntt, r_as_ntt, error_2, - &message_as_ring_element); - compress_then_serialize_ring_element_v_00(v, ciphertext); + ZERO_d6_df(); + deserialize_then_decompress_message_df(message, &message_as_ring_element); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = ZERO_d6_df(); + compute_ring_element_v_d0(t_as_ntt, r_as_ntt, error_2, + &message_as_ring_element, &v, scratch); + compress_then_serialize_ring_element_v_00(v, ciphertext, + scratch->coefficients); } /** @@ -4524,9 +4625,9 @@ static KRML_MUSTINLINE void encrypt_c2_00( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 +- K_SQUARED= 16 - CIPHERTEXT_SIZE= 1568 - T_AS_NTT_ENCODED_SIZE= 1536 - C1_LEN= 1408 @@ -4538,38 +4639,31 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -static KRML_MUSTINLINE void encrypt_unpacked_2a( - IndCpaPublicKeyUnpacked_af *public_key, uint8_t *message, - Eurydice_slice randomness, uint8_t ret[1568U]) { - uint8_t ciphertext[1568U] = {0U}; - tuple_08 uu____0 = - encrypt_c1_85(randomness, public_key->A, - Eurydice_array_to_subslice3(ciphertext, (size_t)0U, - (size_t)1408U, uint8_t *)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[4U]; - memcpy( - r_as_ntt, uu____0.fst, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = - public_key->t_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____2 = r_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____3 = &error_2; - uint8_t *uu____4 = message; - encrypt_c2_00( - uu____1, uu____2, uu____3, uu____4, - Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, (size_t)1408U, - uint8_t, size_t, uint8_t[])); - memcpy(ret, ciphertext, (size_t)1568U * sizeof(uint8_t)); +static KRML_MUSTINLINE void encrypt_unpacked_28( + IndCpaPublicKeyUnpacked_84 *public_key, uint8_t *message, + Eurydice_slice randomness, Eurydice_slice ciphertext, + Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + encrypt_c1_fc(randomness, public_key->A, + Eurydice_slice_subslice3(ciphertext, (size_t)0U, (size_t)1408U, + uint8_t *), + r_as_ntt, error_2, scratch); + encrypt_c2_00(public_key->t_as_ntt, r_as_ntt, error_2, message, + Eurydice_slice_subslice_from(ciphertext, (size_t)1408U, uint8_t, + size_t, uint8_t[]), + scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 +- K_SQUARED= 16 - CIPHERTEXT_SIZE= 1568 - T_AS_NTT_ENCODED_SIZE= 1536 - C1_LEN= 1408 @@ -4581,16 +4675,18 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -static KRML_MUSTINLINE void encrypt_2a0(Eurydice_slice public_key, - uint8_t *message, - Eurydice_slice randomness, - uint8_t ret[1568U]) { - IndCpaPublicKeyUnpacked_af unpacked_public_key = - build_unpacked_public_key_3f0(public_key); - uint8_t ret0[1568U]; - encrypt_unpacked_2a(&unpacked_public_key, message, randomness, ret0); - memcpy(ret, ret0, (size_t)1568U * sizeof(uint8_t)); +static KRML_MUSTINLINE void encrypt_280( + Eurydice_slice public_key, uint8_t *message, Eurydice_slice randomness, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + IndCpaPublicKeyUnpacked_84 unpacked_public_key = default_50_ff(); + build_unpacked_public_key_mut_e2(public_key, &unpacked_public_key); + encrypt_unpacked_28(&unpacked_public_key, message, randomness, ciphertext, + r_as_ntt, error_2, scratch); } /** @@ -4599,25 +4695,23 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.kdf_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 4 - CIPHERTEXT_SIZE= 1568 */ -static KRML_MUSTINLINE void kdf_39_60(Eurydice_slice shared_secret, - uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - shared_secret, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void kdf_39_a7(Eurydice_slice shared_secret, + Eurydice_slice out) { + Eurydice_slice_copy(out, shared_secret, uint8_t); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - CIPHERTEXT_SIZE= 1568 - PUBLIC_KEY_SIZE= 1568 - T_AS_NTT_ENCODED_SIZE= 1536 @@ -4630,46 +4724,64 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 */ -tuple_fa libcrux_ml_kem_ind_cca_encapsulate_ca0( +tuple_fa libcrux_ml_kem_ind_cca_encapsulate_d90( libcrux_ml_kem_types_MlKemPublicKey_64 *public_key, uint8_t *randomness) { - uint8_t randomness0[32U]; - entropy_preprocess_39_03( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); + uint8_t processed_randomness[32U] = {0U}; + entropy_preprocess_39_56( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t)); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, uint8_t[]); - uint8_t ret0[32U]; - H_4a_ac(Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_e6_af(public_key), - uint8_t), - ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); - uint8_t hashed[64U]; - G_4a_ac(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t), + to_hash); + Eurydice_slice uu____0 = Eurydice_array_to_slice( + (size_t)1568U, libcrux_ml_kem_types_as_slice_e6_af(public_key), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + uu____0, Eurydice_array_to_subslice_from( + (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t, size_t, uint8_t[])); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; - uint8_t ciphertext[1568U]; - encrypt_2a0(Eurydice_array_to_slice( + libcrux_ml_kem_types_MlKemCiphertext_64 ciphertext = + libcrux_ml_kem_types_default_73_af(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[4U]; + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = call_mut_c0_d90(&lvalue);); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = ZERO_d6_df(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = ZERO_d6_df(); + encrypt_280(Eurydice_array_to_slice( (size_t)1568U, libcrux_ml_kem_types_as_slice_e6_af(public_key), uint8_t), - randomness0, pseudorandomness, ciphertext); + processed_randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1568U, ciphertext.value, uint8_t), + Eurydice_array_to_slice( + (size_t)4U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t shared_secret_array[32U] = {0U}; + kdf_39_a7(shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + libcrux_ml_kem_types_MlKemCiphertext_64 uu____2 = ciphertext; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_ciphertext[1568U]; - memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_fa lit; - lit.fst = libcrux_ml_kem_types_from_e0_af(copy_of_ciphertext); - uint8_t ret[32U]; - kdf_39_60(shared_secret, ret); - memcpy(lit.snd, ret, (size_t)32U * sizeof(uint8_t)); + lit.fst = uu____2; + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -4692,7 +4804,7 @@ with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_0b_7d( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -4701,20 +4813,18 @@ libcrux_ml_kem.serialize.deserialize_to_uncompressed_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_to_uncompressed_ring_element_ea(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_to_uncompressed_ring_element_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes, + &re->coefficients[i0]); } - return re; } /** @@ -4727,37 +4837,41 @@ with const generics - K= 4 */ static KRML_MUSTINLINE void deserialize_vector_d0( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt) { + Eurydice_slice secret_key, Eurydice_slice secret_as_ntt) { KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - deserialize_to_uncompressed_ring_element_ea(Eurydice_slice_subslice3( + deserialize_to_uncompressed_ring_element_df( + Eurydice_slice_subslice3( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *)); - secret_as_ntt[i0] = uu____0;); + uint8_t *), + &Eurydice_slice_index( + secret_as_ntt, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *));); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for -libcrux_ml_kem::ind_cpa::deserialize_then_decompress_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@1]> for libcrux_ml_kem::ind_cpa::decrypt_unpacked::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.call_mut_35 with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked.call_mut_68 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 4 - CIPHERTEXT_SIZE= 1568 +- VECTOR_U_ENCODED_SIZE= 1408 - U_COMPRESSION_FACTOR= 11 +- V_COMPRESSION_FACTOR= 5 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_35_00( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_68_7d( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -4766,22 +4880,20 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void decompress_ciphertext_coefficient_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10); decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -4794,10 +4906,9 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 10 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_b8_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return decompress_ciphertext_coefficient_ef(a); +static void decompress_ciphertext_coefficient_b8_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + decompress_ciphertext_coefficient_ef(a); } /** @@ -4806,22 +4917,19 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_10 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_10_ea(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_then_decompress_10_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_10_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - decompress_ciphertext_coefficient_b8_ef(coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_10_b8(bytes, + &re->coefficients[i0]); + decompress_ciphertext_coefficient_b8_ef(&re->coefficients[i0]); } - return re; } /** @@ -4830,22 +4938,20 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 11 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void decompress_ciphertext_coefficient_c4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)11); decompressed = decompressed >> (uint32_t)((int32_t)11 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -4858,10 +4964,9 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 11 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_b8_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return decompress_ciphertext_coefficient_c4(a); +static void decompress_ciphertext_coefficient_b8_c4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + decompress_ciphertext_coefficient_c4(a); } /** @@ -4870,22 +4975,19 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_11 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_11_ea(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_then_decompress_11_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_11_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - decompress_ciphertext_coefficient_b8_c4(coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_11_b8(bytes, + &re->coefficients[i0]); + decompress_ciphertext_coefficient_b8_c4(&re->coefficients[i0]); } - return re; } /** @@ -4894,9 +4996,10 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 11 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_ring_element_u_5e(Eurydice_slice serialized) { - return deserialize_then_decompress_11_ea(serialized); +static KRML_MUSTINLINE void deserialize_then_decompress_ring_element_u_5e( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + deserialize_then_decompress_11_df(serialized, output); } /** @@ -4906,16 +5009,17 @@ with const generics - VECTOR_U_COMPRESSION_FACTOR= 11 */ static KRML_MUSTINLINE void ntt_vector_u_5e( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t zeta_i = (size_t)0U; - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)7U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U); - ntt_at_layer_3_ea(&zeta_i, re); - ntt_at_layer_2_ea(&zeta_i, re); - ntt_at_layer_1_ea(&zeta_i, re); - poly_barrett_reduce_d6_ea(re); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)7U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch); + ntt_at_layer_3_df(&zeta_i, re); + ntt_at_layer_2_df(&zeta_i, re); + ntt_at_layer_1_df(&zeta_i, re); + poly_barrett_reduce_d6_df(re); } /** @@ -4931,13 +5035,8 @@ with const generics - U_COMPRESSION_FACTOR= 11 */ static KRML_MUSTINLINE void deserialize_then_decompress_u_00( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - u_as_ntt[i] = call_mut_35_00(&lvalue);); + uint8_t *ciphertext, Eurydice_slice u_as_ntt, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t), @@ -4955,12 +5054,17 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_00( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U, uint8_t *); - u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_5e(u_bytes); - ntt_vector_u_5e(&u_as_ntt[i0]); + deserialize_then_decompress_ring_element_u_5e( + u_bytes, + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + ntt_vector_u_5e( + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } - memcpy( - ret, u_as_ntt, - (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -4969,22 +5073,20 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void decompress_ciphertext_coefficient_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4); decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -4997,10 +5099,9 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 4 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_b8_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return decompress_ciphertext_coefficient_d1(a); +static void decompress_ciphertext_coefficient_b8_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + decompress_ciphertext_coefficient_d1(a); } /** @@ -5009,21 +5110,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_4_ea(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_then_decompress_4_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_4_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - decompress_ciphertext_coefficient_b8_d1(coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_4_b8(bytes, + &re->coefficients[i0]); + decompress_ciphertext_coefficient_b8_d1(&re->coefficients[i0]); } - return re; } /** @@ -5032,22 +5130,20 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 5 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void decompress_ciphertext_coefficient_f4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)5); decompressed = decompressed >> (uint32_t)((int32_t)5 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -5060,10 +5156,9 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 5 */ -static libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_ciphertext_coefficient_b8_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return decompress_ciphertext_coefficient_f4(a); +static void decompress_ciphertext_coefficient_b8_f4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + decompress_ciphertext_coefficient_f4(a); } /** @@ -5072,22 +5167,19 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_5_ea(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = ZERO_d6_ea(); +static KRML_MUSTINLINE void deserialize_then_decompress_5_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t *); - re.coefficients[i0] = - libcrux_ml_kem_vector_portable_deserialize_5_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = - decompress_ciphertext_coefficient_b8_f4(re.coefficients[i0]); - re.coefficients[i0] = uu____1; + libcrux_ml_kem_vector_portable_deserialize_5_b8(bytes, + &re->coefficients[i0]); + decompress_ciphertext_coefficient_b8_f4(&re->coefficients[i0]); } - return re; } /** @@ -5097,9 +5189,10 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 - COMPRESSION_FACTOR= 5 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_ring_element_v_ff(Eurydice_slice serialized) { - return deserialize_then_decompress_5_ea(serialized); +static KRML_MUSTINLINE void deserialize_then_decompress_ring_element_v_ff( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + deserialize_then_decompress_5_df(serialized, output); } /** @@ -5108,23 +5201,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -subtract_reduce_ea(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { +static KRML_MUSTINLINE void subtract_reduce_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *b) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - b.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector diff = - libcrux_ml_kem_vector_portable_sub_b8(myself->coefficients[i0], - &coefficient_normal_form); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(diff); - b.coefficients[i0] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &b->coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_portable_sub_b8(&b->coefficients[i0], + &myself->coefficients[i0]); + libcrux_ml_kem_vector_portable_negate_b8(&b->coefficients[i0]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&b->coefficients[i0]); } - return b; } /** @@ -5138,16 +5226,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -subtract_reduce_d6_ea(libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { - return subtract_reduce_ea(self, b); +static KRML_MUSTINLINE void subtract_reduce_d6_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *b) { + subtract_reduce_df(self, b); } /** - The following functions compute various expressions involving - vectors and matrices. The computation of these expressions has been - abstracted away into these functions in order to save on loop iterations. Compute v − InverseNTT(sᵀ ◦ NTT(u)) */ /** @@ -5156,18 +5241,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -compute_message_d0( +static KRML_MUSTINLINE void compute_message_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_ea(); - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_d6_d0(&result, &product);); - invert_ntt_montgomery_d0(&result); - return subtract_reduce_d6_ea(v, result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + ntt_multiply_d6_df(&secret_as_ntt[i0], &u_as_ntt[i0], scratch); + add_to_ring_element_d6_d0(result, scratch);); + invert_ntt_montgomery_d0(result, scratch); + subtract_reduce_d6_df(v, result); } /** @@ -5176,23 +5261,17 @@ libcrux_ml_kem.serialize.compress_then_serialize_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_message_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, uint8_t ret[32U]) { - uint8_t serialized[32U] = {0U}; - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - to_unsigned_field_modulus_ea(re.coefficients[i0]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_compressed = - libcrux_ml_kem_vector_portable_compress_1_b8(coefficient); - uint8_t bytes[2U]; libcrux_ml_kem_vector_portable_serialize_1_b8( - coefficient_compressed, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, uint8_t *), - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t);); - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void compress_then_serialize_message_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + KRML_MAYBE_FOR16(i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; + to_unsigned_field_modulus_df(&re->coefficients[i0], scratch); + libcrux_ml_kem_vector_portable_compress_1_b8(scratch); + libcrux_ml_kem_vector_portable_serialize_1_b8( + scratch, Eurydice_slice_subslice3( + serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *));); } /** @@ -5231,19 +5310,29 @@ with const generics */ static KRML_MUSTINLINE void decrypt_unpacked_7d( IndCpaPrivateKeyUnpacked_af *secret_key, uint8_t *ciphertext, - uint8_t ret[32U]) { + Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[4U]; - deserialize_then_decompress_u_00(ciphertext, u_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - deserialize_then_decompress_ring_element_v_ff( - Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, - (size_t)1408U, uint8_t, size_t, - uint8_t[])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d message = - compute_message_d0(&v, secret_key->secret_as_ntt, u_as_ntt); - uint8_t ret0[32U]; - compress_then_serialize_message_ea(message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u_as_ntt[i] = call_mut_68_7d(&lvalue);); + deserialize_then_decompress_u_00( + ciphertext, + Eurydice_array_to_slice( + (size_t)4U, u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch->coefficients); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = ZERO_d6_df(); + deserialize_then_decompress_ring_element_v_ff( + Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, (size_t)1408U, + uint8_t, size_t, uint8_t[]), + &v); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d message = ZERO_d6_df(); + compute_message_d0(&v, secret_key->secret_as_ntt, u_as_ntt, &message, + scratch); + compress_then_serialize_message_df(&message, decrypted, + scratch->coefficients); } /** @@ -5256,21 +5345,23 @@ with const generics - U_COMPRESSION_FACTOR= 11 - V_COMPRESSION_FACTOR= 5 */ -static KRML_MUSTINLINE void decrypt_7d(Eurydice_slice secret_key, - uint8_t *ciphertext, uint8_t ret[32U]) { +static KRML_MUSTINLINE void decrypt_7d( + Eurydice_slice secret_key, uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { IndCpaPrivateKeyUnpacked_af secret_key_unpacked; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[4U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - ret0[i] = call_mut_0b_7d(&lvalue);); + ret[i] = call_mut_0b_7d(&lvalue);); memcpy( - secret_key_unpacked.secret_as_ntt, ret0, + secret_key_unpacked.secret_as_ntt, ret, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - deserialize_vector_d0(secret_key, secret_key_unpacked.secret_as_ntt); - uint8_t ret1[32U]; - decrypt_unpacked_7d(&secret_key_unpacked, ciphertext, ret1); - memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); + deserialize_vector_d0( + secret_key, Eurydice_array_to_slice( + (size_t)4U, secret_key_unpacked.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + decrypt_unpacked_7d(&secret_key_unpacked, ciphertext, decrypted, scratch); } /** @@ -5278,25 +5369,62 @@ A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF with const generics - LEN= 32 */ -static inline void PRF_9e(Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); +static inline void PRF_9e(Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_6e with const generics -- K= 4 - LEN= 32 */ -static inline void PRF_4a_44(Eurydice_slice input, uint8_t ret[32U]) { - PRF_9e(input, ret); +static inline void PRF_6e_9e(Eurydice_slice input, Eurydice_slice out) { + PRF_9e(input, out); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +*/ +/** +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate.call_mut_5f +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics +- K= 4 +- K_SQUARED= 16 +- SECRET_KEY_SIZE= 3168 +- CPA_SECRET_KEY_SIZE= 1536 +- PUBLIC_KEY_SIZE= 1568 +- CIPHERTEXT_SIZE= 1568 +- T_AS_NTT_ENCODED_SIZE= 1536 +- C1_SIZE= 1408 +- C2_SIZE= 160 +- VECTOR_U_COMPRESSION_FACTOR= 11 +- VECTOR_V_COMPRESSION_FACTOR= 5 +- C1_BLOCK_SIZE= 352 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 +*/ +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_5f_d70( + void **_) { + return ZERO_d6_df(); } /** @@ -5305,9 +5433,10 @@ static inline void PRF_4a_44(Eurydice_slice input, uint8_t ret[32U]) { /** A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 4 +- K_SQUARED= 16 - SECRET_KEY_SIZE= 3168 - CPA_SECRET_KEY_SIZE= 1536 - PUBLIC_KEY_SIZE= 1568 @@ -5322,9 +5451,11 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 512 +- PRF_OUTPUT_SIZE2= 512 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_620( +void libcrux_ml_kem_ind_cca_decapsulate_d70( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext, uint8_t ret[32U]) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -5334,8 +5465,11 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( Eurydice_slice ind_cpa_public_key = uu____0.snd; Eurydice_slice ind_cpa_public_key_hash = uu____0.thd; Eurydice_slice implicit_rejection_value = uu____0.f3; - uint8_t decrypted[32U]; - decrypt_7d(ind_cpa_secret_key, ciphertext->value, decrypted); + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = ZERO_d6_df(); + decrypt_7d(ind_cpa_secret_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), + &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -5344,8 +5478,10 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t, uint8_t[]), ind_cpa_public_key_hash, uint8_t); - uint8_t hashed[64U]; - G_4a_ac(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -5359,50 +5495,67 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_af(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret0[32U]; - PRF_4a_44(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), - implicit_rejection_shared_secret0); - uint8_t expected_ciphertext[1568U]; - encrypt_2a0(ind_cpa_public_key, decrypted, pseudorandomness, - expected_ciphertext); - uint8_t implicit_rejection_shared_secret[32U]; - kdf_39_60(Eurydice_array_to_slice((size_t)32U, - implicit_rejection_shared_secret0, uint8_t), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - kdf_39_60(shared_secret0, shared_secret); - uint8_t ret0[32U]; + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + PRF_6e_9e(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret, uint8_t)); + uint8_t expected_ciphertext[1568U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[4U]; + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = call_mut_5f_d70(&lvalue);); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = ZERO_d6_df(); + encrypt_280( + ind_cpa_public_key, decrypted, pseudorandomness, + Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)4U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t implicit_rejection_shared_secret_kdf[32U] = {0U}; + kdf_39_a7(Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret, uint8_t), + Eurydice_array_to_slice( + (size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t)); + uint8_t shared_secret_kdf[32U] = {0U}; + kdf_39_a7(shared_secret0, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t)); + uint8_t shared_secret[32U] = {0U}; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( libcrux_ml_kem_types_as_ref_d3_af(ciphertext), Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t), + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t), - ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t)); + memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::serialize::deserialize_ring_elements_reduced_out::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::validate_public_key::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.call_mut_0b with -types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const -generics +A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key.call_mut_00 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 +- PUBLIC_KEY_SIZE= 1184 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_0b_1b( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_00_89( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** - See [deserialize_ring_elements_reduced_out]. + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. */ /** A monomorphic instance of @@ -5411,8 +5564,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1b( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + Eurydice_slice public_key, Eurydice_slice deserialized_pk) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -5423,38 +5575,15 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_1b( i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t *); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - deserialize_to_reduced_ring_element_ea(ring_element); - deserialized_pk[i0] = uu____0; + deserialize_to_reduced_ring_element_df( + ring_element, + &Eurydice_slice_index( + deserialized_pk, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } } -/** - This function deserializes ring elements and reduces the result by the field - modulus. - - This function MUST NOT be used on secret inputs. -*/ -/** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- K= 3 -*/ -static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_1b( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - deserialized_pk[i] = call_mut_0b_1b(&lvalue);); - deserialize_ring_elements_reduced_1b(public_key, deserialized_pk); - memcpy( - ret, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); -} - /** Call [`serialize_uncompressed_ring_element`] for each ring element. */ @@ -5465,8 +5594,8 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void serialize_vector_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, - Eurydice_slice out) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -5476,14 +5605,12 @@ static KRML_MUSTINLINE void serialize_vector_1b( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = key[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *); - uint8_t ret[384U]; - serialize_uncompressed_ring_element_ea(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)384U, ret, uint8_t), uint8_t); + serialize_uncompressed_ring_element_df( + &re, scratch, + Eurydice_slice_subslice3( + out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *)); } } @@ -5499,39 +5626,23 @@ with const generics */ static KRML_MUSTINLINE void serialize_public_key_mut_89( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t *serialized) { + Eurydice_slice seed_for_a, Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { serialize_vector_1b( t_as_ntt, - Eurydice_array_to_subslice3( + Eurydice_slice_subslice3( serialized, (size_t)0U, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t *)); + uint8_t *), + scratch); Eurydice_slice_copy( - Eurydice_array_to_subslice_from( - (size_t)1184U, serialized, + Eurydice_slice_subslice_from( + serialized, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), uint8_t, size_t, uint8_t[]), seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics -- K= 3 -- PUBLIC_KEY_SIZE= 1184 -*/ -static KRML_MUSTINLINE void serialize_public_key_89( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t ret[1184U]) { - uint8_t public_key_serialized[1184U] = {0U}; - serialize_public_key_mut_89(t_as_ntt, seed_for_a, public_key_serialized); - memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); -} - /** Validate an ML-KEM public key. @@ -5548,38 +5659,34 @@ with const generics */ bool libcrux_ml_kem_ind_cca_validate_public_key_89(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - deserialize_ring_elements_reduced_out_1b( - Eurydice_array_to_subslice_to( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = deserialized_pk; - uint8_t public_key_serialized[1184U]; - serialize_public_key_89( - uu____0, - Eurydice_array_to_subslice_from( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - public_key_serialized); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + deserialized_pk[i] = call_mut_00_89(&lvalue);); + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + deserialize_ring_elements_reduced_1b( + uu____0, Eurydice_array_to_slice( + (size_t)3U, deserialized_pk, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + uint8_t public_key_serialized[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = deserialized_pk; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + serialize_public_key_mut_89( + uu____1, uu____2, + Eurydice_array_to_slice((size_t)1184U, public_key_serialized, uint8_t), + &scratch); return Eurydice_array_eq((size_t)1184U, public_key, public_key_serialized, uint8_t); } -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.H_4a -with const generics -- K= 3 -*/ -static inline void H_4a_e0(Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_portable_H(input, ret); -} - /** Validate an ML-KEM private key. @@ -5587,18 +5694,19 @@ static inline void H_4a_e0(Eurydice_slice input, uint8_t ret[32U]) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key_only -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( +bool libcrux_ml_kem_ind_cca_validate_private_key_only_1f( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - uint8_t t[32U]; - H_4a_e0(Eurydice_array_to_subslice3( - private_key->value, (size_t)384U * (size_t)3U, - (size_t)768U * (size_t)3U + (size_t)32U, uint8_t *), - t); + uint8_t t[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_H_6e( + Eurydice_array_to_subslice3(private_key->value, (size_t)384U * (size_t)3U, + (size_t)768U * (size_t)3U + (size_t)32U, + uint8_t *), + Eurydice_array_to_slice((size_t)32U, t, uint8_t)); Eurydice_slice expected = Eurydice_array_to_subslice3( private_key->value, (size_t)768U * (size_t)3U + (size_t)32U, (size_t)768U * (size_t)3U + (size_t)64U, uint8_t *); @@ -5614,16 +5722,16 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -bool libcrux_ml_kem_ind_cca_validate_private_key_37( +bool libcrux_ml_kem_ind_cca_validate_private_key_5d( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_d6(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_1f(private_key); } /** @@ -5651,7 +5759,7 @@ static IndCpaPrivateKeyUnpacked_a0 default_70_1b(void) { IndCpaPrivateKeyUnpacked_a0 lit; libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - repeat_expression[i] = ZERO_d6_ea();); + repeat_expression[i] = ZERO_d6_df();); memcpy( lit.secret_as_ntt, repeat_expression, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); @@ -5663,74 +5771,57 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.IndCpaPublicKeyUnpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - $3size_t +- $9size_t */ -typedef struct IndCpaPublicKeyUnpacked_a0_s { +typedef struct IndCpaPublicKeyUnpacked_be_s { libcrux_ml_kem_polynomial_PolynomialRingElement_1d t_as_ntt[3U]; uint8_t seed_for_A[32U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; -} IndCpaPublicKeyUnpacked_a0; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; +} IndCpaPublicKeyUnpacked_be; /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_8b +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_50 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static IndCpaPublicKeyUnpacked_a0 default_8b_1b(void) { +static IndCpaPublicKeyUnpacked_be default_50_89(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - uu____0[i] = ZERO_d6_ea();); + uu____0[i] = ZERO_d6_df();); uint8_t uu____1[32U] = {0U}; - IndCpaPublicKeyUnpacked_a0 lit; + IndCpaPublicKeyUnpacked_be lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression0[3U][3U]; - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - repeat_expression[i] = ZERO_d6_ea();); - memcpy(repeat_expression0[i0], repeat_expression, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d));); - memcpy(lit.A, repeat_expression0, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[9U]; + KRML_MAYBE_FOR9(i, (size_t)0U, (size_t)9U, (size_t)1U, + repeat_expression[i] = ZERO_d6_df();); + memcpy( + lit.A, repeat_expression, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); return lit; } -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.G_4a -with const generics -- K= 3 -*/ -static inline void G_4a_e0(Eurydice_slice input, uint8_t ret[64U]) { - libcrux_ml_kem_hash_functions_portable_G(input, ret); -} - /** This function found in impl {libcrux_ml_kem::variant::Variant for libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.cpa_keygen_seed_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void cpa_keygen_seed_39_9c( - Eurydice_slice key_generation_seed, uint8_t ret[64U]) { +static KRML_MUSTINLINE void cpa_keygen_seed_39_f0( + Eurydice_slice key_generation_seed, Eurydice_slice out) { uint8_t seed[33U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_subslice3( @@ -5739,88 +5830,8 @@ static KRML_MUSTINLINE void cpa_keygen_seed_39_9c( key_generation_seed, uint8_t); seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = (uint8_t)(size_t)3U; - uint8_t ret0[64U]; - G_4a_e0(Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PortableHash -with const generics -- $3size_t -*/ -typedef struct PortableHash_88_s { - libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U]; -} PortableHash_88; - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics -- K= 3 -*/ -static inline PortableHash_88 shake128_init_absorb_final_e0( - uint8_t (*input)[34U]) { - PortableHash_88 shake128_state; - libcrux_sha3_generic_keccak_KeccakState_17 repeat_expression[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - repeat_expression[i] = - libcrux_sha3_portable_incremental_shake128_init();); - memcpy(shake128_state.shake128_state, repeat_expression, - (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state.shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t));); - return shake128_state; -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_4a with const -generics -- K= 3 -*/ -static inline PortableHash_88 shake128_init_absorb_final_4a_e0( - uint8_t (*input)[34U]) { - return shake128_init_absorb_final_e0(input); -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics -- K= 3 -*/ -static inline void shake128_squeeze_first_three_blocks_e0( - PortableHash_88 *st, uint8_t ret[3U][504U]) { - uint8_t out[3U][504U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t));); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_4a -with const generics -- K= 3 -*/ -static inline void shake128_squeeze_first_three_blocks_4a_e0( - PortableHash_88 *self, uint8_t ret[3U][504U]) { - shake128_squeeze_first_three_blocks_e0(self, ret); + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)33U, seed, uint8_t), out); } /** @@ -5872,67 +5883,44 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - N= 504 */ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_89( - uint8_t (*randomness)[504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[504U], uint8_t(*)[504U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3( - out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t *)); + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, + int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = - sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } }); bool done = true; KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const -generics -- K= 3 -*/ -static inline void shake128_squeeze_next_block_e0(PortableHash_88 *st, - uint8_t ret[3U][168U]) { - uint8_t out[3U][168U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t));); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_4a with const -generics -- K= 3 -*/ -static inline void shake128_squeeze_next_block_4a_e0(PortableHash_88 *self, - uint8_t ret[3U][168U]) { - shake128_squeeze_next_block_e0(self, ret); + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; + } else { done = false; }); + return done; } /** @@ -5984,163 +5972,134 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - N= 168 */ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_890( - uint8_t (*randomness)[168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[168U], uint8_t(*)[168U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3( - out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t *)); + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, + int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = - sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } }); bool done = true; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; }); return done; } -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_e7_2b0( - int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return from_i16_array_d6_ea( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); -} - /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void sample_from_xof_2b0( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - PortableHash_88 xof_state = shake128_init_absorb_final_4a_e0(seeds); - uint8_t randomness0[3U][504U]; - shake128_squeeze_first_three_blocks_4a_e0(&xof_state, randomness0); +static KRML_MUSTINLINE void sample_from_xof_570( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PortableHash xof_state = + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + seeds); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); bool done = sample_from_uniform_distribution_next_89( - randomness0, sampled_coefficients, out); + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); while (true) { if (done) { break; } else { - uint8_t randomness[3U][168U]; - shake128_squeeze_next_block_4a_e0(&xof_state, randomness); + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); done = sample_from_uniform_distribution_next_890( - randomness, sampled_coefficients, out); + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); } } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = call_mut_e7_2b0(copy_of_out[i]);); - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void sample_matrix_A_2b0( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*A_transpose)[3U], - uint8_t *seed, bool transpose) { +static KRML_MUSTINLINE void sample_matrix_A_570(Eurydice_slice A_transpose, + uint8_t *seed, bool transpose) { KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - uint8_t seeds[3U][34U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *);); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + uint8_t seeds[3U][34U]; KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sampled[3U]; - sample_from_xof_2b0(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; int16_t out[3U][272U] = {{0U}}; + sample_from_xof_570( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + from_i16_array_d6_df( + uu____1, + &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + from_i16_array_d6_df( + uu____2, + &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } }); } -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void PRFxN_41(uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - uint8_t out[3U][128U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN_4a -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void PRFxN_4a_41(uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - PRFxN_41(input, ret); -} - /** Sample a vector of ring elements from a centered binomial distribution and convert them into their NTT representations. @@ -6148,28 +6107,46 @@ static inline void PRFxN_4a_41(uint8_t (*input)[33U], uint8_t ret[3U][128U]) { /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - ETA= 2 - ETA_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE= 384 */ -static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b0( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re_as_ntt, - uint8_t *prf_input, uint8_t domain_separator) { +static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_400( + Eurydice_slice re_as_ntt, uint8_t *prf_input, uint8_t domain_separator, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *);); + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - PRFxN_4a_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_array_to_slice((size_t)3U, prf_inputs, uint8_t[33U]), + Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - re_as_ntt[i0] = sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - ntt_binomially_sampled_ring_element_ea(&re_as_ntt[i0]);); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + int16_t sample_buffer[256U] = {0U}; + sample_from_binomial_distribution_a0(randomness, sample_buffer); + from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + ntt_binomially_sampled_ring_element_df( + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch);); return domain_separator; } @@ -6178,22 +6155,39 @@ This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@3]> for libcrux_ml_kem::ind_cpa::generate_keypair_unpacked::closure[TraitClause@0, TraitClause@1, -TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +Scheme, K, K_SQUARED, ETA1, ETA1_RANDOMNESS_SIZE, +PRF_OUTPUT_SIZE1>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3, +TraitClause@4, TraitClause@5]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_73 with types +libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_ae with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_73_1c0( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_ae_b80( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); +} + +/** +A monomorphic instance of libcrux_ml_kem.matrix.entry +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics +- K= 3 +*/ +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d *entry_1b( + Eurydice_slice matrix, size_t i, size_t j) { + return &Eurydice_slice_index( + matrix, i * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *); } /** @@ -6217,10 +6211,8 @@ static KRML_MUSTINLINE void add_to_ring_element_1b( libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &rhs->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[i0], + &rhs->coefficients[i0]); } } @@ -6252,36 +6244,20 @@ with const generics */ static KRML_MUSTINLINE void compute_As_plus_e_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix_A)[3U], + Eurydice_slice matrix_A, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_ea(); - t_as_ntt[i0] = uu____0; - for (size_t i1 = (size_t)0U; - i1 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i1++) { - size_t j = i1; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = - &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(matrix_element, &s_as_ntt[j]); - add_to_ring_element_d6_1b(&t_as_ntt[i0], &product); - } - add_standard_error_reduce_d6_ea(&t_as_ntt[i0], &error_as_ntt[i0]); - } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = ZERO_d6_df(); + t_as_ntt[i0] = uu____0; KRML_MAYBE_FOR3( + i1, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i1; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = + entry_1b(matrix_A, i0, j); + ntt_multiply_d6_df(uu____1, &s_as_ntt[j], scratch); + add_to_ring_element_d6_1b(&t_as_ntt[i0], scratch);); + add_standard_error_reduce_d6_df(&t_as_ntt[i0], &error_as_ntt[i0]);); } /** @@ -6328,41 +6304,56 @@ static KRML_MUSTINLINE void compute_As_plus_e_1b( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE void generate_keypair_unpacked_1c0( +static KRML_MUSTINLINE void generate_keypair_unpacked_b80( Eurydice_slice key_generation_seed, IndCpaPrivateKeyUnpacked_a0 *private_key, - IndCpaPublicKeyUnpacked_a0 *public_key) { - uint8_t hashed[64U]; - cpa_keygen_seed_39_9c(key_generation_seed, hashed); + IndCpaPublicKeyUnpacked_be *public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + uint8_t hashed[64U] = {0U}; + cpa_keygen_seed_39_f0(key_generation_seed, + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] = - public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed_for_A, ret); - sample_matrix_A_2b0(uu____1, ret, true); + sample_matrix_A_570(uu____1, ret, true); uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(seed_for_secret_and_error, prf_input); - uint8_t domain_separator = - sample_vector_cbd_then_ntt_3b0(private_key->secret_as_ntt, prf_input, 0U); + uint8_t domain_separator = sample_vector_cbd_then_ntt_400( + Eurydice_array_to_slice( + (size_t)3U, private_key->secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_as_ntt[i] = call_mut_73_1c0(&lvalue);); - sample_vector_cbd_then_ntt_3b0(error_as_ntt, prf_input, domain_separator); - compute_As_plus_e_1b(public_key->t_as_ntt, public_key->A, - private_key->secret_as_ntt, error_as_ntt); + error_as_ntt[i] = call_mut_ae_b80(&lvalue);); + sample_vector_cbd_then_ntt_400( + Eurydice_array_to_slice( + (size_t)3U, error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, domain_separator, scratch->coefficients); + compute_As_plus_e_1b(public_key->t_as_ntt, + Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + private_key->secret_as_ntt, error_as_ntt, scratch); uint8_t uu____2[32U]; core_result_Result_fb dst; Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U], @@ -6379,54 +6370,48 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_unpacked_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static libcrux_ml_kem_utils_extraction_helper_Keypair768 -serialize_unpacked_secret_key_6c(IndCpaPublicKeyUnpacked_a0 *public_key, - IndCpaPrivateKeyUnpacked_a0 *private_key) { - uint8_t public_key_serialized[1184U]; - serialize_public_key_89( +static void serialize_unpacked_secret_key_43( + IndCpaPublicKeyUnpacked_be *public_key, + IndCpaPrivateKeyUnpacked_a0 *private_key, + Eurydice_slice serialized_private_key, Eurydice_slice serialized_public_key, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + serialize_public_key_mut_89( public_key->t_as_ntt, Eurydice_array_to_slice((size_t)32U, public_key->seed_for_A, uint8_t), - public_key_serialized); - uint8_t secret_key_serialized[1152U] = {0U}; - serialize_vector_1b( - private_key->secret_as_ntt, - Eurydice_array_to_slice((size_t)1152U, secret_key_serialized, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_secret_key_serialized[1152U]; - memcpy(copy_of_secret_key_serialized, secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_public_key_serialized[1184U]; - memcpy(copy_of_public_key_serialized, public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, copy_of_secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - return lit; + serialized_public_key, scratch); + serialize_vector_1b(private_key->secret_as_ntt, serialized_private_key, + scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE libcrux_ml_kem_utils_extraction_helper_Keypair768 -generate_keypair_ea(Eurydice_slice key_generation_seed) { +static KRML_MUSTINLINE void generate_keypair_90( + Eurydice_slice key_generation_seed, + Eurydice_slice serialized_ind_cpa_private_key, + Eurydice_slice serialized_public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { IndCpaPrivateKeyUnpacked_a0 private_key = default_70_1b(); - IndCpaPublicKeyUnpacked_a0 public_key = default_8b_1b(); - generate_keypair_unpacked_1c0(key_generation_seed, &private_key, &public_key); - return serialize_unpacked_secret_key_6c(&public_key, &private_key); + IndCpaPublicKeyUnpacked_be public_key = default_50_89(); + generate_keypair_unpacked_b80(key_generation_seed, &private_key, &public_key, + scratch); + serialize_unpacked_secret_key_43( + &public_key, &private_key, serialized_ind_cpa_private_key, + serialized_public_key, scratch->coefficients); } /** @@ -6434,12 +6419,12 @@ generate_keypair_ea(Eurydice_slice key_generation_seed) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key_mut -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SERIALIZED_KEY_LEN= 2400 */ -static KRML_MUSTINLINE void serialize_kem_secret_key_mut_d6( +static KRML_MUSTINLINE void serialize_kem_secret_key_mut_1f( Eurydice_slice private_key, Eurydice_slice public_key, Eurydice_slice implicit_rejection_value, uint8_t *serialized) { size_t pointer = (size_t)0U; @@ -6461,41 +6446,23 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_mut_d6( uint8_t *), public_key, uint8_t); pointer = pointer + Eurydice_slice_len(public_key, uint8_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice3( - serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, - uint8_t *); - uint8_t ret[32U]; - H_4a_e0(public_key, ret); - Eurydice_slice_copy( - uu____6, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + public_key, + Eurydice_array_to_subslice3( + serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t *)); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = serialized; + uint8_t *uu____6 = serialized; + size_t uu____7 = pointer; size_t uu____8 = pointer; - size_t uu____9 = pointer; Eurydice_slice_copy( Eurydice_array_to_subslice3( - uu____7, uu____8, - uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uu____6, uu____7, + uu____8 + Eurydice_slice_len(implicit_rejection_value, uint8_t), uint8_t *), implicit_rejection_value, uint8_t); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] -with const generics -- K= 3 -- SERIALIZED_KEY_LEN= 2400 -*/ -static KRML_MUSTINLINE void serialize_kem_secret_key_d6( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { - uint8_t out[2400U] = {0U}; - serialize_kem_secret_key_mut_d6(private_key, public_key, - implicit_rejection_value, out); - memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); -} - /** Packed API @@ -6507,17 +6474,19 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_d6( /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { +libcrux_ml_kem_ind_cca_generate_keypair_e6(uint8_t *randomness) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( randomness, (size_t)0U, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t *); @@ -6525,14 +6494,15 @@ libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - generate_keypair_ea(ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t public_key[1184U]; - memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - uint8_t secret_key_serialized[2400U]; - serialize_kem_secret_key_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = ZERO_d6_df(); + generate_keypair_90( + ind_cpa_keypair_randomness, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + uint8_t secret_key_serialized[2400U] = {0U}; + serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); @@ -6542,12 +6512,12 @@ libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = libcrux_ml_kem_types_from_77_28(copy_of_secret_key_serialized); - libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; + libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____1 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_17_74( - uu____2, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); + uu____1, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); } /** @@ -6556,110 +6526,93 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void entropy_preprocess_39_9c(Eurydice_slice randomness, - uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - randomness, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void entropy_preprocess_39_f0(Eurydice_slice randomness, + Eurydice_slice out) { + Eurydice_slice_copy(out, randomness, uint8_t); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::encapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +*/ +/** +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate.call_mut_c0 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics +- K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_c0_d9( + void **_) { + return ZERO_d6_df(); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ -static KRML_MUSTINLINE void build_unpacked_public_key_mut_3f0( +static KRML_MUSTINLINE void build_unpacked_public_key_mut_e20( Eurydice_slice public_key, - IndCpaPublicKeyUnpacked_a0 *unpacked_public_key) { + IndCpaPublicKeyUnpacked_be *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - deserialize_ring_elements_reduced_1b(uu____0, unpacked_public_key->t_as_ntt); + deserialize_ring_elements_reduced_1b( + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); - sample_matrix_A_2b0(uu____1, ret, false); -} - -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -- T_AS_NTT_ENCODED_SIZE= 1152 -*/ -static KRML_MUSTINLINE IndCpaPublicKeyUnpacked_a0 -build_unpacked_public_key_3f(Eurydice_slice public_key) { - IndCpaPublicKeyUnpacked_a0 unpacked_public_key = default_8b_1b(); - build_unpacked_public_key_mut_3f0(public_key, &unpacked_public_key); - return unpacked_public_key; + sample_matrix_A_570(uu____1, ret, false); } -/** -A monomorphic instance of K. -with types libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector[3size_t], -libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector - -*/ -typedef struct tuple_ed_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d fst[3U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d snd; -} tuple_ed; - /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_f1 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -- C1_LEN= 960 -- U_COMPRESSION_FACTOR= 10 -- BLOCK_LEN= 320 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 -- ETA2= 2 -- ETA2_RANDOMNESS_SIZE= 128 -*/ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_f1_850( - void **_) { - return ZERO_d6_ea(); -} - -/** -This function found in impl {core::ops::function::FnMut<(usize), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} +K, K_SQUARED, C1_LEN, U_COMPRESSION_FACTOR, BLOCK_LEN, ETA1, +ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, PRF_OUTPUT_SIZE1, +PRF_OUTPUT_SIZE2>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_77 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -6667,10 +6620,12 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_dd_850( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_77_fc0( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -6679,61 +6634,71 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_dd_850( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - ETA2_RANDOMNESS_SIZE= 128 - ETA2= 2 +- PRF_OUTPUT_SIZE= 384 */ -static KRML_MUSTINLINE uint8_t sample_ring_element_cbd_3b0( - uint8_t *prf_input, uint8_t domain_separator, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1) { +static KRML_MUSTINLINE uint8_t +sample_ring_element_cbd_400(uint8_t *prf_input, uint8_t domain_separator, + Eurydice_slice error_1, int16_t *sample_buffer) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *);); + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - PRFxN_4a_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + Eurydice_slice uu____1 = core_array___Array_T__N___as_slice( + (size_t)3U, prf_inputs, uint8_t[33U], Eurydice_slice); + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + uu____1, Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - error_1[i0] = uu____0;); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + sample_from_binomial_distribution_a0(randomness, sample_buffer); + from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + error_1, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *));); return domain_separator; } -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void PRF_4a_410(Eurydice_slice input, uint8_t ret[128U]) { - PRF_a6(input, ret); -} - /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for libcrux_ml_kem::matrix::compute_vector_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.call_mut_a8 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_88 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 +- C1_LEN= 960 +- U_COMPRESSION_FACTOR= 10 +- BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_a8_1b( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_88_fc0( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -6743,17 +6708,18 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void invert_ntt_montgomery_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1_ea(&zeta_i, re); - invert_ntt_at_layer_2_ea(&zeta_i, re); - invert_ntt_at_layer_3_ea(&zeta_i, re); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_d6_ea(re); + invert_ntt_at_layer_1_df(&zeta_i, re); + invert_ntt_at_layer_2_df(&zeta_i, re); + invert_ntt_at_layer_3_df(&zeta_i, re); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch); + invert_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)7U, scratch); + poly_barrett_reduce_d6_df(re); } /** @@ -6766,43 +6732,39 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void compute_vector_u_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - result[i] = call_mut_a8_1b(&lvalue);); - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = a_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(a_element, &r_as_ntt[j]); - add_to_ring_element_d6_1b(&result[i1], &product); - } - invert_ntt_montgomery_1b(&result[i1]); - add_error_reduce_d6_ea(&result[i1], &error_1[i1]); - } - memcpy( - ret, result, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + Eurydice_slice a_as_ntt, Eurydice_slice r_as_ntt, Eurydice_slice error_1, + Eurydice_slice result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR3( + i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = + entry_1b(a_as_ntt, i1, j); + ntt_multiply_d6_df( + uu____0, + &Eurydice_slice_index( + r_as_ntt, j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + add_to_ring_element_d6_1b( + &Eurydice_slice_index( + result, i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch);); + invert_ntt_montgomery_1b( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + add_error_reduce_d6_df( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + &Eurydice_slice_index( + error_1, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *));); } /** @@ -6812,20 +6774,18 @@ with const generics - OUT_LEN= 320 */ static KRML_MUSTINLINE void compress_then_serialize_10_ff( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_b8_ef(to_unsigned_field_modulus_ea(re->coefficients[i0])); - uint8_t bytes[20U]; - libcrux_ml_kem_vector_portable_serialize_10_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)20U * i0, - (size_t)20U * i0 + (size_t)20U, uint8_t *), - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); + to_unsigned_field_modulus_df(&re->coefficients[i0], scratch); + compress_b8_ef(scratch); + libcrux_ml_kem_vector_portable_serialize_10_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)20U * i0, + (size_t)20U * i0 + (size_t)20U, uint8_t *)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -6836,10 +6796,10 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - OUT_LEN= 320 */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_fe( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - compress_then_serialize_10_ff(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + compress_then_serialize_10_ff(re, serialized, scratch); } /** @@ -6856,7 +6816,8 @@ with const generics */ static KRML_MUSTINLINE void compress_then_serialize_u_43( libcrux_ml_kem_polynomial_PolynomialRingElement_1d input[3U], - Eurydice_slice out) { + Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -6866,22 +6827,21 @@ static KRML_MUSTINLINE void compress_then_serialize_u_43( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *); - uint8_t ret[320U]; - compress_then_serialize_ring_element_u_fe(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + compress_then_serialize_ring_element_u_fe( + &re, + Eurydice_slice_subslice3( + out, i0 * ((size_t)960U / (size_t)3U), + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *), + scratch); } } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -6889,52 +6849,62 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_ed -encrypt_c1_850(Eurydice_slice randomness, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix)[3U], - Eurydice_slice ciphertext) { +static KRML_MUSTINLINE void encrypt_c1_fc0( + Eurydice_slice randomness, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(randomness, prf_input); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - r_as_ntt[i] = call_mut_f1_850(&lvalue);); - uint8_t domain_separator0 = - sample_vector_cbd_then_ntt_3b0(r_as_ntt, prf_input, 0U); + uint8_t domain_separator0 = sample_vector_cbd_then_ntt_400( + r_as_ntt, prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_1[i] = call_mut_dd_850(&lvalue);); - uint8_t domain_separator = - sample_ring_element_cbd_3b0(prf_input, domain_separator0, error_1); + error_1[i] = call_mut_77_fc0(&lvalue);); + int16_t sampling_buffer[256U] = {0U}; + uint8_t domain_separator = sample_ring_element_cbd_400( + prf_input, domain_separator0, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + sampling_buffer); prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - PRF_4a_410(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), - prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = - sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + uint8_t prf_output[128U] = {0U}; + PRF_6e_a6(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + sample_from_binomial_distribution_a0( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t), + sampling_buffer); + from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sampling_buffer, int16_t), error_2); libcrux_ml_kem_polynomial_PolynomialRingElement_1d u[3U]; - compute_vector_u_1b(matrix, r_as_ntt, error_1, u); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; - memcpy( - uu____0, u, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - compress_then_serialize_u_43(uu____0, ciphertext); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u[i] = call_mut_88_fc0(&lvalue);); + compute_vector_u_1b( + Eurydice_array_to_slice( + (size_t)9U, matrix, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + r_as_ntt, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + Eurydice_array_to_slice( + (size_t)3U, u, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch); /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_r_as_ntt[3U]; - memcpy( - copy_of_r_as_ntt, r_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - tuple_ed lit; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_u[3U]; memcpy( - lit.fst, copy_of_r_as_ntt, + copy_of_u, u, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - lit.snd = error_2; - return lit; + compress_then_serialize_u_43(copy_of_u, ciphertext, scratch->coefficients); } /** @@ -6946,19 +6916,24 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -compute_ring_element_v_1b( +static KRML_MUSTINLINE void compute_ring_element_v_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_ea(); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(&t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element_d6_1b(&result, &product);); - invert_ntt_montgomery_1b(&result); - return add_message_error_reduce_d6_ea(error_2, message, result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; ntt_multiply_d6_df( + &t_as_ntt[i0], + &Eurydice_slice_index( + r_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + add_to_ring_element_d6_1b(result, scratch);); + invert_ntt_montgomery_1b(result, scratch); + add_message_error_reduce_d6_df(error_2, message, result, + scratch->coefficients); } /** @@ -6970,8 +6945,9 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - OUT_LEN= 128 */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_6c( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) { - compress_then_serialize_4_ea(re, out); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + compress_then_serialize_4_df(re, out, scratch); } /** @@ -6984,15 +6960,18 @@ with const generics */ static KRML_MUSTINLINE void encrypt_c2_6c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - uint8_t *message, Eurydice_slice ciphertext) { + uint8_t *message, Eurydice_slice ciphertext, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element = - deserialize_then_decompress_message_ea(message); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - compute_ring_element_v_1b(t_as_ntt, r_as_ntt, error_2, - &message_as_ring_element); - compress_then_serialize_ring_element_v_6c(v, ciphertext); + ZERO_d6_df(); + deserialize_then_decompress_message_df(message, &message_as_ring_element); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = ZERO_d6_df(); + compute_ring_element_v_1b(t_as_ntt, r_as_ntt, error_2, + &message_as_ring_element, &v, scratch); + compress_then_serialize_ring_element_v_6c(v, ciphertext, + scratch->coefficients); } /** @@ -7039,9 +7018,9 @@ static KRML_MUSTINLINE void encrypt_c2_6c( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -7053,38 +7032,31 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE void encrypt_unpacked_2a0( - IndCpaPublicKeyUnpacked_a0 *public_key, uint8_t *message, - Eurydice_slice randomness, uint8_t ret[1088U]) { - uint8_t ciphertext[1088U] = {0U}; - tuple_ed uu____0 = - encrypt_c1_850(randomness, public_key->A, - Eurydice_array_to_subslice3(ciphertext, (size_t)0U, - (size_t)960U, uint8_t *)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; - memcpy( - r_as_ntt, uu____0.fst, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = - public_key->t_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____2 = r_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____3 = &error_2; - uint8_t *uu____4 = message; - encrypt_c2_6c( - uu____1, uu____2, uu____3, uu____4, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, uint8_t[])); - memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); +static KRML_MUSTINLINE void encrypt_unpacked_280( + IndCpaPublicKeyUnpacked_be *public_key, uint8_t *message, + Eurydice_slice randomness, Eurydice_slice ciphertext, + Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + encrypt_c1_fc0( + randomness, public_key->A, + Eurydice_slice_subslice3(ciphertext, (size_t)0U, (size_t)960U, uint8_t *), + r_as_ntt, error_2, scratch); + encrypt_c2_6c(public_key->t_as_ntt, r_as_ntt, error_2, message, + Eurydice_slice_subslice_from(ciphertext, (size_t)960U, uint8_t, + size_t, uint8_t[]), + scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -7096,16 +7068,18 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE void encrypt_2a(Eurydice_slice public_key, - uint8_t *message, - Eurydice_slice randomness, - uint8_t ret[1088U]) { - IndCpaPublicKeyUnpacked_a0 unpacked_public_key = - build_unpacked_public_key_3f(public_key); - uint8_t ret0[1088U]; - encrypt_unpacked_2a0(&unpacked_public_key, message, randomness, ret0); - memcpy(ret, ret0, (size_t)1088U * sizeof(uint8_t)); +static KRML_MUSTINLINE void encrypt_28( + Eurydice_slice public_key, uint8_t *message, Eurydice_slice randomness, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + IndCpaPublicKeyUnpacked_be unpacked_public_key = default_50_89(); + build_unpacked_public_key_mut_e20(public_key, &unpacked_public_key); + encrypt_unpacked_280(&unpacked_public_key, message, randomness, ciphertext, + r_as_ntt, error_2, scratch); } /** @@ -7114,25 +7088,23 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.kdf_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void kdf_39_d6(Eurydice_slice shared_secret, - uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - shared_secret, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void kdf_39_1f(Eurydice_slice shared_secret, + Eurydice_slice out) { + Eurydice_slice_copy(out, shared_secret, uint8_t); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -7145,46 +7117,64 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( +tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_d9( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - uint8_t randomness0[32U]; - entropy_preprocess_39_9c( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); + uint8_t processed_randomness[32U] = {0U}; + entropy_preprocess_39_f0( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t)); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, uint8_t[]); - uint8_t ret0[32U]; - H_4a_e0(Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), - uint8_t), - ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); - uint8_t hashed[64U]; - G_4a_e0(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t), + to_hash); + Eurydice_slice uu____0 = Eurydice_array_to_slice( + (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + uu____0, Eurydice_array_to_subslice_from( + (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t, size_t, uint8_t[])); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; - uint8_t ciphertext[1088U]; - encrypt_2a(Eurydice_array_to_slice( + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext = + libcrux_ml_kem_types_default_73_80(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = call_mut_c0_d9(&lvalue);); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = ZERO_d6_df(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = ZERO_d6_df(); + encrypt_28(Eurydice_array_to_slice( (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - randomness0, pseudorandomness, ciphertext); + processed_randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext.value, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t shared_secret_array[32U] = {0U}; + kdf_39_1f(shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____2 = ciphertext; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_ciphertext[1088U]; - memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_c2 lit; - lit.fst = libcrux_ml_kem_types_from_e0_80(copy_of_ciphertext); - uint8_t ret[32U]; - kdf_39_d6(shared_secret, ret); - memcpy(lit.snd, ret, (size_t)32U * sizeof(uint8_t)); + lit.fst = uu____2; + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -7207,7 +7197,7 @@ with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_0b_42( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -7220,37 +7210,41 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void deserialize_vector_1b( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt) { + Eurydice_slice secret_key, Eurydice_slice secret_as_ntt) { KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - deserialize_to_uncompressed_ring_element_ea(Eurydice_slice_subslice3( + deserialize_to_uncompressed_ring_element_df( + Eurydice_slice_subslice3( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *)); - secret_as_ntt[i0] = uu____0;); + uint8_t *), + &Eurydice_slice_index( + secret_as_ntt, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *));); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for -libcrux_ml_kem::ind_cpa::deserialize_then_decompress_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@1]> for libcrux_ml_kem::ind_cpa::decrypt_unpacked::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.call_mut_35 with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked.call_mut_68 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 +- VECTOR_U_ENCODED_SIZE= 960 - U_COMPRESSION_FACTOR= 10 +- V_COMPRESSION_FACTOR= 4 */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_35_6c( +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_68_42( void **_) { - return ZERO_d6_ea(); + return ZERO_d6_df(); } /** @@ -7259,9 +7253,10 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_ring_element_u_0a(Eurydice_slice serialized) { - return deserialize_then_decompress_10_ea(serialized); +static KRML_MUSTINLINE void deserialize_then_decompress_ring_element_u_0a( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + deserialize_then_decompress_10_df(serialized, output); } /** @@ -7271,16 +7266,17 @@ with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE void ntt_vector_u_0a( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t zeta_i = (size_t)0U; - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)7U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U); - ntt_at_layer_3_ea(&zeta_i, re); - ntt_at_layer_2_ea(&zeta_i, re); - ntt_at_layer_1_ea(&zeta_i, re); - poly_barrett_reduce_d6_ea(re); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)7U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch); + ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch); + ntt_at_layer_3_df(&zeta_i, re); + ntt_at_layer_2_df(&zeta_i, re); + ntt_at_layer_1_df(&zeta_i, re); + poly_barrett_reduce_d6_df(re); } /** @@ -7296,13 +7292,8 @@ with const generics - U_COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE void deserialize_then_decompress_u_6c( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - u_as_ntt[i] = call_mut_35_6c(&lvalue);); + uint8_t *ciphertext, Eurydice_slice u_as_ntt, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -7320,12 +7311,17 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_6c( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, uint8_t *); - u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_0a(u_bytes); - ntt_vector_u_0a(&u_as_ntt[i0]); + deserialize_then_decompress_ring_element_u_0a( + u_bytes, + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + ntt_vector_u_0a( + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } - memcpy( - ret, u_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -7335,15 +7331,13 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 - COMPRESSION_FACTOR= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -deserialize_then_decompress_ring_element_v_89(Eurydice_slice serialized) { - return deserialize_then_decompress_4_ea(serialized); +static KRML_MUSTINLINE void deserialize_then_decompress_ring_element_v_89( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + deserialize_then_decompress_4_df(serialized, output); } /** - The following functions compute various expressions involving - vectors and matrices. The computation of these expressions has been - abstracted away into these functions in order to save on loop iterations. Compute v − InverseNTT(sᵀ ◦ NTT(u)) */ /** @@ -7352,18 +7346,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -compute_message_1b( +static KRML_MUSTINLINE void compute_message_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = ZERO_d6_ea(); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - ntt_multiply_d6_ea(&secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element_d6_1b(&result, &product);); - invert_ntt_montgomery_1b(&result); - return subtract_reduce_d6_ea(v, result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + ntt_multiply_d6_df(&secret_as_ntt[i0], &u_as_ntt[i0], scratch); + add_to_ring_element_d6_1b(result, scratch);); + invert_ntt_montgomery_1b(result, scratch); + subtract_reduce_d6_df(v, result); } /** @@ -7402,19 +7396,29 @@ with const generics */ static KRML_MUSTINLINE void decrypt_unpacked_42( IndCpaPrivateKeyUnpacked_a0 *secret_key, uint8_t *ciphertext, - uint8_t ret[32U]) { + Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; - deserialize_then_decompress_u_6c(ciphertext, u_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - deserialize_then_decompress_ring_element_v_89( - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - uint8_t[])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d message = - compute_message_1b(&v, secret_key->secret_as_ntt, u_as_ntt); - uint8_t ret0[32U]; - compress_then_serialize_message_ea(message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u_as_ntt[i] = call_mut_68_42(&lvalue);); + deserialize_then_decompress_u_6c( + ciphertext, + Eurydice_array_to_slice( + (size_t)3U, u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch->coefficients); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = ZERO_d6_df(); + deserialize_then_decompress_ring_element_v_89( + Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, + uint8_t, size_t, uint8_t[]), + &v); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d message = ZERO_d6_df(); + compute_message_1b(&v, secret_key->secret_as_ntt, u_as_ntt, &message, + scratch); + compress_then_serialize_message_df(&message, decrypted, + scratch->coefficients); } /** @@ -7427,35 +7431,64 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static KRML_MUSTINLINE void decrypt_42(Eurydice_slice secret_key, - uint8_t *ciphertext, uint8_t ret[32U]) { +static KRML_MUSTINLINE void decrypt_42( + Eurydice_slice secret_key, uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { IndCpaPrivateKeyUnpacked_a0 secret_key_unpacked; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - ret0[i] = call_mut_0b_42(&lvalue);); + ret[i] = call_mut_0b_42(&lvalue);); memcpy( - secret_key_unpacked.secret_as_ntt, ret0, + secret_key_unpacked.secret_as_ntt, ret, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - deserialize_vector_1b(secret_key, secret_key_unpacked.secret_as_ntt); - uint8_t ret1[32U]; - decrypt_unpacked_42(&secret_key_unpacked, ciphertext, ret1); - memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); + deserialize_vector_1b( + secret_key, Eurydice_array_to_slice( + (size_t)3U, secret_key_unpacked.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + decrypt_unpacked_42(&secret_key_unpacked, ciphertext, decrypted, scratch); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate.call_mut_5f +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics - K= 3 -- LEN= 32 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static inline void PRF_4a_41(Eurydice_slice input, uint8_t ret[32U]) { - PRF_9e(input, ret); +static libcrux_ml_kem_polynomial_PolynomialRingElement_1d call_mut_5f_d7( + void **_) { + return ZERO_d6_df(); } /** @@ -7464,9 +7497,10 @@ static inline void PRF_4a_41(Eurydice_slice input, uint8_t ret[32U]) { /** A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -7481,9 +7515,11 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_62( +void libcrux_ml_kem_ind_cca_decapsulate_d7( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -7493,8 +7529,11 @@ void libcrux_ml_kem_ind_cca_decapsulate_62( Eurydice_slice ind_cpa_public_key = uu____0.snd; Eurydice_slice ind_cpa_public_key_hash = uu____0.thd; Eurydice_slice implicit_rejection_value = uu____0.f3; - uint8_t decrypted[32U]; - decrypt_42(ind_cpa_secret_key, ciphertext->value, decrypted); + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = ZERO_d6_df(); + decrypt_42(ind_cpa_secret_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), + &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -7503,8 +7542,10 @@ void libcrux_ml_kem_ind_cca_decapsulate_62( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t, uint8_t[]), ind_cpa_public_key_hash, uint8_t); - uint8_t hashed[64U]; - G_4a_e0(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -7518,25 +7559,39 @@ void libcrux_ml_kem_ind_cca_decapsulate_62( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret0[32U]; - PRF_4a_41(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret0); - uint8_t expected_ciphertext[1088U]; - encrypt_2a(ind_cpa_public_key, decrypted, pseudorandomness, - expected_ciphertext); - uint8_t implicit_rejection_shared_secret[32U]; - kdf_39_d6(Eurydice_array_to_slice((size_t)32U, - implicit_rejection_shared_secret0, uint8_t), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - kdf_39_d6(shared_secret0, shared_secret); - uint8_t ret0[32U]; + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + PRF_6e_9e(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret, uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = call_mut_5f_d7(&lvalue);); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = ZERO_d6_df(); + encrypt_28( + ind_cpa_public_key, decrypted, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t implicit_rejection_shared_secret_kdf[32U] = {0U}; + kdf_39_1f(Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret, uint8_t), + Eurydice_array_to_slice( + (size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t)); + uint8_t shared_secret_kdf[32U] = {0U}; + kdf_39_1f(shared_secret0, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t)); + uint8_t shared_secret[32U] = {0U}; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t), + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t), - ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t)); + memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.h b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.h index 2071d0259..2b3d83018 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_mlkem_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem_portable_H @@ -20,11 +20,79 @@ extern "C" { #endif +#include "libcrux_sha3_portable.h" + void libcrux_ml_kem_hash_functions_portable_G(Eurydice_slice input, - uint8_t ret[64U]); + Eurydice_slice output); void libcrux_ml_kem_hash_functions_portable_H(Eurydice_slice input, - uint8_t ret[32U]); + Eurydice_slice output); + +void libcrux_ml_kem_hash_functions_portable_PRFxN(Eurydice_slice input, + Eurydice_slice outputs, + size_t out_len); + +typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_s { + libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; +} libcrux_ml_kem_hash_functions_portable_PortableHash; + +libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + Eurydice_slice input); + +void libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs); + +void libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs); + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +void libcrux_ml_kem_hash_functions_portable_G_6e(Eurydice_slice input, + Eurydice_slice output); + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +void libcrux_ml_kem_hash_functions_portable_H_6e(Eurydice_slice input, + Eurydice_slice output); + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +void libcrux_ml_kem_hash_functions_portable_PRFxN_6e(Eurydice_slice input, + Eurydice_slice outputs, + size_t out_len); + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + Eurydice_slice input); + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +void libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output); + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +void libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output); #define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U) @@ -45,37 +113,41 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector} libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_ZERO_b8(void); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_from_i16_array(Eurydice_slice array); +void libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_from_i16_array_b8(Eurydice_slice array); +void libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); void libcrux_ml_kem_vector_portable_vector_type_to_i16_array( - libcrux_ml_kem_vector_portable_vector_type_PortableVector x, - int16_t ret[16U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *x, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_to_i16_array_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector x, - int16_t ret[16U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *x, + Eurydice_slice out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_from_bytes(Eurydice_slice array); +void libcrux_ml_kem_vector_portable_vector_type_from_bytes( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_from_bytes_b8(Eurydice_slice array); +void libcrux_ml_kem_vector_portable_from_bytes_b8( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); void libcrux_ml_kem_vector_portable_vector_type_to_bytes( libcrux_ml_kem_vector_portable_vector_type_PortableVector x, @@ -89,61 +161,73 @@ void libcrux_ml_kem_vector_portable_to_bytes_b8( libcrux_ml_kem_vector_portable_vector_type_PortableVector x, Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_add( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +void libcrux_ml_kem_vector_portable_arithmetic_add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_add_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +void libcrux_ml_kem_vector_portable_add_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_sub( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +void libcrux_ml_kem_vector_portable_arithmetic_sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_sub_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +void libcrux_ml_kem_vector_portable_sub_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); +void libcrux_ml_kem_vector_portable_arithmetic_negate( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); +void libcrux_ml_kem_vector_portable_negate_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec); + +void libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c); + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +void libcrux_ml_kem_vector_portable_multiply_by_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c); + +void libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c); + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +void libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c); /** Note: This function is not secret independent Only use with public values. */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec); +void libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v); +void libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec); #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \ ((int32_t)20159) @@ -173,17 +257,15 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec); +void libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector); +void libcrux_ml_kem_vector_portable_barrett_reduce_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec); #define LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ (62209U) @@ -223,22 +305,23 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); +void libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector, - int16_t constant); +void libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t r); +/** +This function found in impl {core::clone::Clone for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c); +libcrux_ml_kem_vector_portable_vector_type_clone_9c( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *self); libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_to_unsigned_representative( @@ -277,17 +360,15 @@ libcrux_ml_kem_vector_portable_to_unsigned_representative_b8( uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( uint16_t fe); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a); +void libcrux_ml_kem_vector_portable_compress_compress_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a); +void libcrux_ml_kem_vector_portable_compress_1_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a); uint32_t libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits( uint8_t n, uint32_t value); @@ -311,91 +392,79 @@ void libcrux_ml_kem_vector_portable_ntt_ntt_step( libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta, size_t i, size_t j); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +void libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +void libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +void libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta); +void libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta); void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta, size_t i, size_t j); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +void libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta); +void libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta); /** Compute the product of two Kyber binomials with respect to the @@ -424,50 +493,53 @@ void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta, size_t i, libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_multiply( +void libcrux_ml_kem_vector_portable_ntt_ntt_multiply( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_multiply_b8( +void libcrux_ml_kem_vector_portable_ntt_multiply_b8( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); void libcrux_ml_kem_vector_portable_serialize_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[2U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out); void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v); +void libcrux_ml_kem_vector_portable_serialize_deserialize_1( + Eurydice_slice v, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_1( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1_b8(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); typedef struct uint8_t_x4_s { uint8_t fst; @@ -480,20 +552,20 @@ uint8_t_x4 libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_slice v); void libcrux_ml_kem_vector_portable_serialize_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[8U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out); void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_4_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); typedef struct int16_t_x8_s { int16_t fst; @@ -509,18 +581,21 @@ typedef struct int16_t_x8_s { int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes); +void libcrux_ml_kem_vector_portable_serialize_deserialize_4( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_4( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4_b8(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_4_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); typedef struct uint8_t_x5_s { uint8_t fst; @@ -534,71 +609,77 @@ uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_5_int( Eurydice_slice v); void libcrux_ml_kem_vector_portable_serialize_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[10U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out); void libcrux_ml_kem_vector_portable_serialize_5( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_5_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[10U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes); +void libcrux_ml_kem_vector_portable_serialize_deserialize_5( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_5( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_5_b8(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_5_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_10_int( Eurydice_slice v); void libcrux_ml_kem_vector_portable_serialize_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[20U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out); void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_10_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes); +void libcrux_ml_kem_vector_portable_serialize_deserialize_10( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_10( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10_b8(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_10_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); typedef struct uint8_t_x11_s { uint8_t fst; @@ -618,36 +699,39 @@ uint8_t_x11 libcrux_ml_kem_vector_portable_serialize_serialize_11_int( Eurydice_slice v); void libcrux_ml_kem_vector_portable_serialize_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[22U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out); void libcrux_ml_kem_vector_portable_serialize_11( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_11_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[22U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes); +void libcrux_ml_kem_vector_portable_serialize_deserialize_11( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_11( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_11_b8(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_11_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); typedef struct uint8_t_x3_s { uint8_t fst; @@ -659,20 +743,20 @@ uint8_t_x3 libcrux_ml_kem_vector_portable_serialize_serialize_12_int( Eurydice_slice v); void libcrux_ml_kem_vector_portable_serialize_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[24U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out); void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ void libcrux_ml_kem_vector_portable_serialize_12_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out); typedef struct int16_t_x2_s { int16_t fst; @@ -682,18 +766,21 @@ typedef struct int16_t_x2_s { int16_t_x2 libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice bytes); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes); +void libcrux_ml_kem_vector_portable_serialize_deserialize_12( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_12( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12_b8(Eurydice_slice a); +void libcrux_ml_kem_vector_portable_deserialize_12_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out); size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( Eurydice_slice a, Eurydice_slice result); @@ -705,14 +792,6 @@ libcrux_ml_kem::vector::portable::vector_type::PortableVector} size_t libcrux_ml_kem_vector_portable_rej_sample_b8(Eurydice_slice a, Eurydice_slice out); -/** -This function found in impl {core::clone::Clone for -libcrux_ml_kem::vector::portable::vector_type::PortableVector} -*/ -libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_clone_9c( - libcrux_ml_kem_vector_portable_vector_type_PortableVector *self); - #if defined(__cplusplus) } #endif diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_internal.h b/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_internal.h index 3e556d719..2328f54cb 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_internal.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.c b/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.c index e0f301511..bc2434a63 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.c +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.c @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #include "libcrux_sha3_portable.h" diff --git a/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.h b/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.h index a48fdaca2..9ef70d17c 100644 --- a/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/extracts/c/generated/libcrux_sha3_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_sha3_portable_H diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/code_gen.txt b/libcrux-ml-kem/extracts/c_header_only/generated/code_gen.txt index a689f6d37..575a786c5 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/code_gen.txt +++ b/libcrux-ml-kem/extracts/c_header_only/generated/code_gen.txt @@ -2,5 +2,5 @@ This code was generated with the following revisions: Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b -F*: 71d8221589d4d438af3706d89cb653cf53e18aab -Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc +F*: unset +Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/header.txt b/libcrux-ml-kem/extracts/c_header_only/generated/header.txt index 55b8d4049..b880e3f6c 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/header.txt +++ b/libcrux-ml-kem/extracts/c_header_only/generated/header.txt @@ -7,6 +7,6 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_ct_ops.h b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_ct_ops.h index e7edb4ed0..999608f09 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_ct_ops.h +++ b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_ct_ops.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_ct_ops_H @@ -67,41 +67,36 @@ libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( */ static KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_select_ct( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { + Eurydice_slice out) { uint8_t mask = core_num__u8__wrapping_sub( libcrux_ml_kem_constant_time_ops_is_non_zero(selector), 1U); - uint8_t out[32U] = {0U}; - for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; - i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; uint8_t outi = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & (uint32_t)mask) | ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & (uint32_t)~mask); - out[i0] = outi; + Eurydice_slice_index(out, i0, uint8_t, uint8_t *) = outi; } - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { - libcrux_ml_kem_constant_time_ops_select_ct(lhs, rhs, selector, ret); + Eurydice_slice out) { + libcrux_ml_kem_constant_time_ops_select_ct(lhs, rhs, selector, out); } static KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( Eurydice_slice lhs_c, Eurydice_slice rhs_c, Eurydice_slice lhs_s, - Eurydice_slice rhs_s, uint8_t ret[32U]) { + Eurydice_slice rhs_s, Eurydice_slice out) { uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( lhs_c, rhs_c); - uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - lhs_s, rhs_s, selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + lhs_s, rhs_s, selector, out); } #if defined(__cplusplus) diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_avx2.h index 908c2489a..09606bcfc 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_avx2.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem768_avx2_H @@ -29,20 +29,451 @@ extern "C" { KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G( - Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha512(output, input); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha256(output, input); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + uint8_t dummy0[192U] = {0U}; + uint8_t dummy1[192U] = {0U}; + switch ((uint8_t)Eurydice_slice_len(input, uint8_t[33U])) { + case 2U: { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( + outputs, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out0 = uu____0.fst; + Eurydice_slice out1 = uu____0.snd; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____3 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____4 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____5 = out0; + Eurydice_slice uu____6 = out1; + Eurydice_slice uu____7 = Eurydice_array_to_subslice_to( + (size_t)192U, dummy0, out_len, uint8_t, size_t, uint8_t[]); + libcrux_sha3_avx2_x4_shake256( + uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, uu____7, + Eurydice_array_to_subslice_to((size_t)192U, dummy1, out_len, uint8_t, + size_t, uint8_t[])); + break; + } + case 3U: { + Eurydice_slice_uint8_t_x2 uu____8 = Eurydice_slice_split_at_mut( + outputs, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out0 = uu____8.fst; + Eurydice_slice rest = uu____8.snd; + Eurydice_slice_uint8_t_x2 uu____9 = Eurydice_slice_split_at_mut( + rest, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out1 = uu____9.fst; + Eurydice_slice out2 = uu____9.snd; + Eurydice_slice uu____10 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____11 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____12 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____13 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____14 = out0; + Eurydice_slice uu____15 = out1; + Eurydice_slice uu____16 = out2; + libcrux_sha3_avx2_x4_shake256( + uu____10, uu____11, uu____12, uu____13, uu____14, uu____15, uu____16, + Eurydice_array_to_subslice_to((size_t)192U, dummy1, out_len, uint8_t, + size_t, uint8_t[])); + break; + } + case 4U: { + Eurydice_slice_uint8_t_x2 uu____17 = Eurydice_slice_split_at_mut( + outputs, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out0 = uu____17.fst; + Eurydice_slice rest0 = uu____17.snd; + Eurydice_slice_uint8_t_x2 uu____18 = Eurydice_slice_split_at_mut( + rest0, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out1 = uu____18.fst; + Eurydice_slice rest = uu____18.snd; + Eurydice_slice_uint8_t_x2 uu____19 = Eurydice_slice_split_at_mut( + rest, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out2 = uu____19.fst; + Eurydice_slice out3 = uu____19.snd; + libcrux_sha3_avx2_x4_shake256( + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)3U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + out0, out1, out2, out3); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_55 state = + libcrux_sha3_avx2_x4_incremental_init(); + switch ((uint8_t)Eurydice_slice_len(input, uint8_t[34U])) { + case 2U: { + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + &state, + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t)); + break; + } + case 3U: { + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + &state, + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t)); + break; + } + case 4U: { + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + &state, + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)3U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + return state; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks( + libcrux_sha3_generic_keccak_KeccakState_55 *st, Eurydice_slice outputs) { + uint8_t out0[504U] = {0U}; + uint8_t out1[504U] = {0U}; + uint8_t out2[504U] = {0U}; + uint8_t out3[504U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( + st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t), + Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); + switch ((uint8_t)Eurydice_slice_len(outputs, uint8_t[504U])) { + case 2U: { + uint8_t uu____0[504U]; + memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[504U], + uint8_t(*)[504U]), + uu____0, (size_t)504U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[504U]; + memcpy(copy_of_out1, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[504U], + uint8_t(*)[504U]), + copy_of_out1, (size_t)504U * sizeof(uint8_t)); + break; + } + case 3U: { + uint8_t uu____2[504U]; + memcpy(uu____2, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[504U], + uint8_t(*)[504U]), + uu____2, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____3[504U]; + memcpy(uu____3, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[504U], + uint8_t(*)[504U]), + uu____3, (size_t)504U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[504U]; + memcpy(copy_of_out2, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[504U], + uint8_t(*)[504U]), + copy_of_out2, (size_t)504U * sizeof(uint8_t)); + break; + } + case 4U: { + uint8_t uu____5[504U]; + memcpy(uu____5, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[504U], + uint8_t(*)[504U]), + uu____5, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____6[504U]; + memcpy(uu____6, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[504U], + uint8_t(*)[504U]), + uu____6, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____7[504U]; + memcpy(uu____7, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[504U], + uint8_t(*)[504U]), + uu____7, (size_t)504U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[504U]; + memcpy(copy_of_out3, out3, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)3U, uint8_t[504U], + uint8_t(*)[504U]), + copy_of_out3, (size_t)504U * sizeof(uint8_t)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_55 *st, Eurydice_slice outputs) { + uint8_t out0[168U] = {0U}; + uint8_t out1[168U] = {0U}; + uint8_t out2[168U] = {0U}; + uint8_t out3[168U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( + st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); + switch ((uint8_t)Eurydice_slice_len(outputs, uint8_t[168U])) { + case 2U: { + uint8_t uu____0[168U]; + memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[168U], + uint8_t(*)[168U]), + uu____0, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[168U]; + memcpy(copy_of_out1, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[168U], + uint8_t(*)[168U]), + copy_of_out1, (size_t)168U * sizeof(uint8_t)); + break; + } + case 3U: { + uint8_t uu____2[168U]; + memcpy(uu____2, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[168U], + uint8_t(*)[168U]), + uu____2, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____3[168U]; + memcpy(uu____3, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[168U], + uint8_t(*)[168U]), + uu____3, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[168U]; + memcpy(copy_of_out2, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[168U], + uint8_t(*)[168U]), + copy_of_out2, (size_t)168U * sizeof(uint8_t)); + break; + } + case 4U: { + uint8_t uu____5[168U]; + memcpy(uu____5, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[168U], + uint8_t(*)[168U]), + uu____5, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____6[168U]; + memcpy(uu____6, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[168U], + uint8_t(*)[168U]), + uu____6, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____7[168U]; + memcpy(uu____7, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[168U], + uint8_t(*)[168U]), + uu____7, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[168U]; + memcpy(copy_of_out3, out3, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)3U, uint8_t[168U], + uint8_t(*)[168U]), + copy_of_out3, (size_t)168U * sizeof(uint8_t)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_avx2_G(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H_26( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_avx2_H(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_26( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + libcrux_ml_kem_hash_functions_avx2_PRFxN(input, outputs, out_len); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_26( + Eurydice_slice input) { + return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final(input); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_26( + libcrux_sha3_generic_keccak_KeccakState_55 *self, Eurydice_slice outputs) { + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks( + self, outputs); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_26( + libcrux_sha3_generic_keccak_KeccakState_55 *self, Eurydice_slice outputs) { + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block(self, outputs); } KRML_ATTRIBUTE_TARGET("avx2") @@ -60,9 +491,9 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_f5(void) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array) { - return libcrux_intrinsics_avx2_mm256_loadu_si256_i16(array); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_vec_from_i16_array( + Eurydice_slice array, __m256i *out) { + out[0U] = libcrux_intrinsics_avx2_mm256_loadu_si256_i16(array); } /** @@ -70,15 +501,15 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_from_i16_array_f5(Eurydice_slice array) { - return libcrux_ml_kem_vector_avx2_vec_from_i16_array(array); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_from_i16_array_f5( + Eurydice_slice array, __m256i *out) { + libcrux_ml_kem_vector_avx2_vec_from_i16_array(array, out); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, __m256i rhs) { - return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_add( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_add_epi16(lhs[0U], rhs[0U]); } /** @@ -86,15 +517,15 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_f5(__m256i lhs, - __m256i *rhs) { - return libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs[0U]); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_add_f5(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, __m256i rhs) { - return libcrux_intrinsics_avx2_mm256_sub_epi16(lhs, rhs); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_sub( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_sub_epi16(lhs[0U], rhs[0U]); } /** @@ -102,17 +533,34 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_f5(__m256i lhs, - __m256i *rhs) { - return libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs[0U]); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_sub_f5(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_negate( + __m256i *vec) { + vec[0U] = libcrux_intrinsics_avx2_mm256_sign_epi16( + vec[0U], libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)-1)); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::avx2::SIMD256Vector} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_negate_f5(__m256i *vec) { + libcrux_ml_kem_vector_avx2_arithmetic_negate(vec); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i *vector, int16_t constant) { __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); - return libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, cv); + __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi16(vector[0U], cv); + vector[0U] = result; } /** @@ -120,30 +568,51 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_multiply_by_constant_f5(__m256i vec, int16_t c) { - return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_multiply_by_constant_f5( + __m256i *vec, int16_t c) { + libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) { +libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( + __m256i vector, int16_t constant) { + __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); + return libcrux_intrinsics_avx2_mm256_and_si256(vector, cv); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::avx2::SIMD256Vector} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_f5(__m256i *vec, + int16_t c) { + vec[0U] = libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( + vec[0U], c); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i *vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i v_minus_field_modulus = - libcrux_intrinsics_avx2_mm256_sub_epi16(vector, field_modulus); + libcrux_intrinsics_avx2_mm256_sub_epi16(vector[0U], field_modulus); __m256i sign_mask = libcrux_intrinsics_avx2_mm256_srai_epi16( (int32_t)15, v_minus_field_modulus, __m256i); __m256i conditional_add_field_modulus = libcrux_intrinsics_avx2_mm256_and_si256(sign_mask, field_modulus); - return libcrux_intrinsics_avx2_mm256_add_epi16(v_minus_field_modulus, - conditional_add_field_modulus); + __m256i result = libcrux_intrinsics_avx2_mm256_add_epi16( + v_minus_field_modulus, conditional_add_field_modulus); + vector[0U] = result; } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector) { - return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_cond_subtract_3329( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); } /** @@ -151,9 +620,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(__m256i vector) { - return libcrux_ml_kem_vector_avx2_cond_subtract_3329(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_cond_subtract_3329(vec); } #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \ @@ -164,11 +633,12 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(__m256i vector) { of this code. */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i *vector) { __m256i t0 = libcrux_intrinsics_avx2_mm256_mulhi_epi16( - vector, libcrux_intrinsics_avx2_mm256_set1_epi16( - LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); + vector[0U], + libcrux_intrinsics_avx2_mm256_set1_epi16( + LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); __m256i t512 = libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512); __m256i t1 = libcrux_intrinsics_avx2_mm256_add_epi16(t0, t512); __m256i quotient = @@ -177,8 +647,9 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { libcrux_intrinsics_avx2_mm256_mullo_epi16( quotient, libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); - return libcrux_intrinsics_avx2_mm256_sub_epi16(vector, - quotient_times_field_modulus); + __m256i result = libcrux_intrinsics_avx2_mm256_sub_epi16( + vector[0U], quotient_times_field_modulus); + vector[0U] = result; } /** @@ -186,18 +657,18 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_barrett_reduce_f5(__m256i vector) { - return libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_barrett_reduce_f5( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vec); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( - __m256i vector, int16_t constant) { + __m256i *vector, int16_t constant) { __m256i vec_constant = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); __m256i value_low = - libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, vec_constant); + libcrux_intrinsics_avx2_mm256_mullo_epi16(vector[0U], vec_constant); __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16( value_low, libcrux_intrinsics_avx2_mm256_set1_epi16( @@ -208,8 +679,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( __m256i k_times_modulus = libcrux_intrinsics_avx2_mm256_mulhi_epi16(k, modulus); __m256i value_high = - libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector, vec_constant); - return libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); + libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector[0U], vec_constant); + __m256i result = + libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); + vector[0U] = result; } /** @@ -217,19 +690,10 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - __m256i vector, int16_t constant) { - return libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( - vector, constant); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( - __m256i vector, int16_t constant) { - __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); - return libcrux_intrinsics_avx2_mm256_and_si256(vector, cv); +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(__m256i *vec, + int16_t c) { + libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(vec, c); } /** @@ -249,7 +713,8 @@ libcrux_ml_kem_vector_avx2_arithmetic_to_unsigned_representative(__m256i a) { __m256i t = libcrux_ml_kem_vector_avx2_arithmetic_shift_right_ef(a); __m256i fm = libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_avx2_arithmetic_add(a, fm); + libcrux_ml_kem_vector_avx2_arithmetic_add(&a, &fm); + return a; } /** @@ -257,21 +722,21 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5( - __m256i a) { - return libcrux_ml_kem_vector_avx2_arithmetic_to_unsigned_representative(a); +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5(__m256i vec) { + return libcrux_ml_kem_vector_avx2_arithmetic_to_unsigned_representative(vec); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( - __m256i vector) { + __m256i *vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi16( (LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int16_t)1) / (int16_t)2); __m256i field_modulus_quartered = libcrux_intrinsics_avx2_mm256_set1_epi16( (LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int16_t)1) / (int16_t)4); __m256i shifted = - libcrux_intrinsics_avx2_mm256_sub_epi16(field_modulus_halved, vector); + libcrux_intrinsics_avx2_mm256_sub_epi16(field_modulus_halved, vector[0U]); __m256i mask = libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)15, shifted, __m256i); __m256i shifted_to_positive = @@ -279,15 +744,14 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( __m256i shifted_to_positive_in_range = libcrux_intrinsics_avx2_mm256_sub_epi16(shifted_to_positive, field_modulus_quartered); - return libcrux_intrinsics_avx2_mm256_srli_epi16( + vector[0U] = libcrux_intrinsics_avx2_mm256_srli_epi16( (int32_t)15, shifted_to_positive_in_range, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_1(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( - vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_1( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(vector); } /** @@ -295,9 +759,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_1_f5(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_1(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_1_f5( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_1(vec); } KRML_ATTRIBUTE_TARGET("avx2") @@ -313,24 +777,6 @@ libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs, libcrux_intrinsics_avx2_mm256_unpackhi_epi32(prod02, prod13)); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_decompress_1(__m256i a) { - __m256i z = libcrux_intrinsics_avx2_mm256_setzero_si256(); - __m256i s = libcrux_ml_kem_vector_avx2_arithmetic_sub(z, a); - return libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( - s, (int16_t)1665); -} - -/** -This function found in impl {libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_decompress_1_f5(__m256i a) { - return libcrux_ml_kem_vector_avx2_compress_decompress_1(a); -} - KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( @@ -351,28 +797,28 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi16( -zeta3, -zeta3, zeta3, zeta3, -zeta2, -zeta2, zeta2, zeta2, -zeta1, -zeta1, zeta1, zeta1, -zeta0, -zeta0, zeta0, zeta0); - __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, - vector, __m256i); + __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)245, vector[0U], __m256i); __m256i rhs0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( rhs, zetas); - __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)160, - vector, __m256i); - return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); + __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)160, vector[0U], __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, + zeta3); } /** @@ -380,33 +826,31 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vector, zeta0, zeta1, - zeta2, zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vec, zeta0, zeta1, zeta2, zeta3); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step( - __m256i vector, int16_t zeta0, int16_t zeta1) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, zeta0, zeta0, zeta0, zeta0); - __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)238, - vector, __m256i); + __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)238, vector[0U], __m256i); __m256i rhs0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( rhs, zetas); - __m256i lhs = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)68, vector, __m256i); - return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); + __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)68, vector[0U], __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step( - __m256i vector, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1); } /** @@ -414,9 +858,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( - __m256i vector, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vector, zeta0, zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vec, zeta0, zeta1); } KRML_ATTRIBUTE_TARGET("avx2") @@ -437,26 +881,26 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { __m128i rhs = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m128i rhs0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( rhs, libcrux_intrinsics_avx2_mm_set1_epi16(zeta)); - __m128i lhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + __m128i lhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_add_epi16(lhs, rhs0); __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_sub_epi16(lhs, rhs0); - __m256i combined = + vector[0U] = libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients); - return libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, combined, upper_coefficients, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, vector[0U], upper_coefficients, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector, int16_t zeta) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { + libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta); } /** @@ -464,46 +908,43 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5(__m256i vector, int16_t zeta) { - return libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5( + __m256i *vec, int16_t zeta0) { + libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vec, zeta0); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(__m256i vector, - int16_t zeta0, - int16_t zeta1, - int16_t zeta2, - int16_t zeta3) { - __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, - vector, __m256i); - __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)160, - vector, __m256i); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, + int16_t zeta3) { + __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)245, vector[0U], __m256i); + __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)160, vector[0U], __m256i); __m256i rhs0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( rhs, libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1, (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1, (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1, (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1)); - __m256i sum0 = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); + __m256i sum = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); __m256i sum_times_zetas = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( - sum0, libcrux_intrinsics_avx2_mm256_set_epi16( - zeta3, zeta3, (int16_t)0, (int16_t)0, zeta2, zeta2, - (int16_t)0, (int16_t)0, zeta1, zeta1, (int16_t)0, - (int16_t)0, zeta0, zeta0, (int16_t)0, (int16_t)0)); - __m256i sum = libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(sum0); - return libcrux_intrinsics_avx2_mm256_blend_epi16((int32_t)204, sum, - sum_times_zetas, __m256i); + sum, libcrux_intrinsics_avx2_mm256_set_epi16( + zeta3, zeta3, (int16_t)0, (int16_t)0, zeta2, zeta2, + (int16_t)0, (int16_t)0, zeta1, zeta1, (int16_t)0, (int16_t)0, + zeta0, zeta0, (int16_t)0, (int16_t)0)); + libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(&sum); + vector[0U] = libcrux_intrinsics_avx2_mm256_blend_epi16( + (int32_t)204, sum, sum_times_zetas, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( - vector, zeta0, zeta1, zeta2, zeta3); + libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(vector, zeta0, zeta1, + zeta2, zeta3); } /** @@ -511,24 +952,19 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5(__m256i vector, - int16_t zeta0, int16_t zeta1, - int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vector, zeta0, zeta1, - zeta2, zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vec, zeta0, zeta1, zeta2, + zeta3); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, - int16_t zeta0, - int16_t zeta1) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { __m256i lhs = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( - (int32_t)245, vector, __m256i); + (int32_t)245, vector[0U], __m256i); __m256i rhs = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( - (int32_t)160, vector, __m256i); + (int32_t)160, vector[0U], __m256i); __m256i rhs0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( rhs, libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)-1, (int16_t)-1, (int16_t)-1, (int16_t)-1, (int16_t)1, @@ -542,15 +978,14 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, zeta1, zeta1, zeta1, zeta1, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, zeta0, zeta0, zeta0, zeta0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0)); - return libcrux_intrinsics_avx2_mm256_blend_epi16((int32_t)240, sum, - sum_times_zetas, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_blend_epi16( + (int32_t)240, sum, sum_times_zetas, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step( - __m256i vector, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0, - zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0, zeta1); } /** @@ -558,35 +993,32 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5(__m256i vector, - int16_t zeta0, - int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vector, zeta0, zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vec, zeta0, zeta1); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector, - int16_t zeta) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { __m128i lhs = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); - __m128i rhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + (int32_t)1, vector[0U], __m128i); + __m128i rhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_add_epi16(lhs, rhs); __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_sub_epi16(lhs, rhs); __m128i upper_coefficients0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( upper_coefficients, libcrux_intrinsics_avx2_mm_set1_epi16(zeta)); - __m256i combined = + vector[0U] = libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients); - return libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, combined, upper_coefficients0, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, vector[0U], upper_coefficients0, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector, int16_t zeta) { - return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { + libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta); } /** @@ -594,10 +1026,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5(__m256i vector, - int16_t zeta) { - return libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5( + __m256i *vec, int16_t zeta0) { + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vec, zeta0); } KRML_ATTRIBUTE_TARGET("avx2") @@ -622,9 +1053,9 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( - __m256i lhs, __m256i rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( + __m256i *lhs, __m256i *rhs, __m256i *out, int16_t zeta0, int16_t zeta1, + int16_t zeta2, int16_t zeta3) { __m256i shuffle_with = libcrux_intrinsics_avx2_mm256_set_epi8( (int8_t)15, (int8_t)14, (int8_t)11, (int8_t)10, (int8_t)7, (int8_t)6, (int8_t)3, (int8_t)2, (int8_t)13, (int8_t)12, (int8_t)9, (int8_t)8, @@ -633,7 +1064,7 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( (int8_t)13, (int8_t)12, (int8_t)9, (int8_t)8, (int8_t)5, (int8_t)4, (int8_t)1, (int8_t)0); __m256i lhs_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi8(lhs, shuffle_with); + libcrux_intrinsics_avx2_mm256_shuffle_epi8(lhs[0U], shuffle_with); __m256i lhs_shuffled0 = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( (int32_t)216, lhs_shuffled, __m256i); __m128i lhs_evens = @@ -643,7 +1074,7 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( (int32_t)1, lhs_shuffled0, __m128i); __m256i lhs_odds0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(lhs_odds); __m256i rhs_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi8(rhs, shuffle_with); + libcrux_intrinsics_avx2_mm256_shuffle_epi8(rhs[0U], shuffle_with); __m256i rhs_shuffled0 = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( (int32_t)216, rhs_shuffled, __m256i); __m128i rhs_evens = @@ -668,7 +1099,7 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s( products_left); __m256i rhs_adjacent_swapped = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - rhs, + rhs[0U], libcrux_intrinsics_avx2_mm256_set_epi8( (int8_t)13, (int8_t)12, (int8_t)15, (int8_t)14, (int8_t)9, (int8_t)8, (int8_t)11, (int8_t)10, (int8_t)5, (int8_t)4, (int8_t)7, (int8_t)6, @@ -677,22 +1108,22 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( (int8_t)5, (int8_t)4, (int8_t)7, (int8_t)6, (int8_t)1, (int8_t)0, (int8_t)3, (int8_t)2)); __m256i products_right = - libcrux_intrinsics_avx2_mm256_madd_epi16(lhs, rhs_adjacent_swapped); + libcrux_intrinsics_avx2_mm256_madd_epi16(lhs[0U], rhs_adjacent_swapped); __m256i products_right0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s( products_right); __m256i products_right1 = libcrux_intrinsics_avx2_mm256_slli_epi32( (int32_t)16, products_right0, __m256i); - return libcrux_intrinsics_avx2_mm256_blend_epi16((int32_t)170, products_left0, - products_right1, __m256i); + out[0U] = libcrux_intrinsics_avx2_mm256_blend_epi16( + (int32_t)170, products_left0, products_right1, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply( - __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0, - zeta1, zeta2, zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_multiply( + __m256i *lhs, __m256i *rhs, __m256i *out, int16_t zeta0, int16_t zeta1, + int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs, rhs, out, zeta0, zeta1, + zeta2, zeta3); } /** @@ -700,31 +1131,33 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_f5( - __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, - zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_multiply_f5( + __m256i *lhs, __m256i *rhs, __m256i *out, int16_t zeta0, int16_t zeta1, + int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, out, zeta0, zeta1, zeta2, + zeta3); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( - __m256i vector, uint8_t ret[2U]) { - __m256i lsb_to_msb = - libcrux_intrinsics_avx2_mm256_slli_epi16((int32_t)15, vector, __m256i); + __m256i *vector, Eurydice_slice out) { + __m256i lsb_to_msb = libcrux_intrinsics_avx2_mm256_slli_epi16( + (int32_t)15, vector[0U], __m256i); __m128i low_msbs = libcrux_intrinsics_avx2_mm256_castsi256_si128(lsb_to_msb); __m128i high_msbs = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, lsb_to_msb, __m128i); __m128i msbs = libcrux_intrinsics_avx2_mm_packs_epi16(low_msbs, high_msbs); int32_t bits_packed = libcrux_intrinsics_avx2_mm_movemask_epi8(msbs); - uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)}; - memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = + (uint8_t)bits_packed; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = + (uint8_t)(bits_packed >> 8U); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1( - __m256i vector, uint8_t ret[2U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, out); } /** @@ -733,8 +1166,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_f5( - __m256i vector, uint8_t ret[2U]) { - libcrux_ml_kem_vector_avx2_serialize_1(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_1(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -764,17 +1197,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_1( + Eurydice_slice bytes, __m256i *out) { + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_1( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes, out); } /** @@ -782,9 +1216,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_1_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_1(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_1_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_1(input, out); } /** @@ -806,10 +1240,10 @@ libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( - __m256i vector, uint8_t ret[8U]) { + __m256i *vector, Eurydice_slice out) { uint8_t serialized[16U] = {0U}; __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector); + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector[0U]); __m256i adjacent_8_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi8( @@ -826,20 +1260,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( __m128i combined0 = libcrux_intrinsics_avx2_mm256_castsi256_si128(combined); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), combined0); - uint8_t ret0[8U]; - Result_15 dst; - Eurydice_slice_to_array2(&dst, - Eurydice_array_to_subslice3(serialized, (size_t)0U, - (size_t)8U, uint8_t *), - Eurydice_slice, uint8_t[8U], TryFromSliceError); - unwrap_26_68(dst, ret0); - memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); + Eurydice_slice_copy(out, + Eurydice_array_to_subslice3(serialized, (size_t)0U, + (size_t)8U, uint8_t *), + uint8_t); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4( - __m256i vector, uint8_t ret[8U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, out); } /** @@ -848,8 +1278,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_f5( - __m256i vector, uint8_t ret[8U]) { - libcrux_ml_kem_vector_avx2_serialize_4(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_4(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -885,23 +1315,24 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_4( + Eurydice_slice bytes, __m256i *out) { + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_4( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes, out); } /** @@ -909,9 +1340,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_4_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_4(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_4_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_4(input, out); } /** @@ -969,10 +1400,10 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( - __m256i vector, uint8_t ret[20U]) { + __m256i *vector, Eurydice_slice out) { core_core_arch_x86___m128i_x2 uu____0 = libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( - vector); + vector[0U]); __m128i lower_8 = uu____0.fst; __m128i upper_8 = uu____0.snd; uint8_t serialized[32U] = {0U}; @@ -984,20 +1415,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( Eurydice_array_to_subslice3(serialized, (size_t)10U, (size_t)26U, uint8_t *), upper_8); - uint8_t ret0[20U]; - Result_e1 dst; - Eurydice_slice_to_array2(&dst, - Eurydice_array_to_subslice3(serialized, (size_t)0U, - (size_t)20U, uint8_t *), - Eurydice_slice, uint8_t[20U], TryFromSliceError); - unwrap_26_20(dst, ret0); - memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t)); + Eurydice_slice_copy(out, + Eurydice_array_to_subslice3(serialized, (size_t)0U, + (size_t)20U, uint8_t *), + uint8_t); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10( - __m256i vector, uint8_t ret[20U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, out); } /** @@ -1006,8 +1433,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_f5( - __m256i vector, uint8_t ret[20U]) { - libcrux_ml_kem_vector_avx2_serialize_10(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_10(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1045,21 +1472,22 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_10( + Eurydice_slice bytes, __m256i *out) { Eurydice_slice lower_coefficients = Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)16U, uint8_t *); Eurydice_slice upper_coefficients = Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)20U, uint8_t *); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients), - libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients)); + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients), + libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_10( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes, out); } /** @@ -1067,9 +1495,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_10_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_10(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_10_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_10(input, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1103,11 +1531,11 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( - __m256i vector, uint8_t ret[24U]) { + __m256i *vector, Eurydice_slice out) { uint8_t serialized[32U] = {0U}; core_core_arch_x86___m128i_x2 uu____0 = libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - vector); + vector[0U]); __m128i lower_8 = uu____0.fst; __m128i upper_8 = uu____0.snd; libcrux_intrinsics_avx2_mm_storeu_bytes_si128( @@ -1118,20 +1546,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( Eurydice_array_to_subslice3(serialized, (size_t)12U, (size_t)28U, uint8_t *), upper_8); - uint8_t ret0[24U]; - Result_b2 dst; - Eurydice_slice_to_array2(&dst, - Eurydice_array_to_subslice3(serialized, (size_t)0U, - (size_t)24U, uint8_t *), - Eurydice_slice, uint8_t[24U], TryFromSliceError); - unwrap_26_70(dst, ret0); - memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t)); + Eurydice_slice_copy(out, + Eurydice_array_to_subslice3(serialized, (size_t)0U, + (size_t)24U, uint8_t *), + uint8_t); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12( - __m256i vector, uint8_t ret[24U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, out); } /** @@ -1140,8 +1564,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_f5( - __m256i vector, uint8_t ret[24U]) { - libcrux_ml_kem_vector_avx2_serialize_12(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_12(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1179,20 +1603,21 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_12( + Eurydice_slice bytes, __m256i *out) { __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)16U, uint8_t *)); __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( Eurydice_slice_subslice3(bytes, (size_t)8U, (size_t)24U, uint8_t *)); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - lower_coefficients, upper_coefficients); + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + lower_coefficients, upper_coefficients); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_12( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes, out); } /** @@ -1200,9 +1625,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_12_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_12(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_12_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_12(input, out); } static const uint8_t @@ -1727,13 +2152,16 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i potential_coefficients = - libcrux_ml_kem_vector_avx2_serialize_deserialize_12(input); + libcrux_intrinsics_avx2_mm256_setzero_si256(); + libcrux_ml_kem_vector_avx2_serialize_deserialize_12(input, + &potential_coefficients); __m256i compare_with_field_modulus = libcrux_intrinsics_avx2_mm256_cmpgt_epi16(field_modulus, potential_coefficients); - uint8_t good[2U]; - libcrux_ml_kem_vector_avx2_serialize_serialize_1(compare_with_field_modulus, - good); + uint8_t good[2U] = {0U}; + libcrux_ml_kem_vector_avx2_serialize_serialize_1( + &compare_with_field_modulus, + Eurydice_array_to_slice((size_t)2U, good, uint8_t)); uint8_t lower_shuffles[16U]; memcpy(lower_shuffles, libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[( @@ -1772,8 +2200,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_f5( - Eurydice_slice input, Eurydice_slice output) { - return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, output); + Eurydice_slice input, Eurydice_slice out) { + return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, out); } /** @@ -1785,16 +2213,6 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_f6_s { __m256i coefficients[16U]; } libcrux_ml_kem_polynomial_PolynomialRingElement_f6; -/** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics -- $3size_t -*/ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63; - /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1808,7 +2226,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ZERO_d6_84(void) { +libcrux_ml_kem_polynomial_ZERO_d6_06(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; __m256i repeat_expression[16U]; for (size_t i = (size_t)0U; i < (size_t)16U; i++) { @@ -1818,6 +2236,16 @@ libcrux_ml_kem_polynomial_ZERO_d6_84(void) { return lit; } +/** +A monomorphic instance of +libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- $3size_t +*/ +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63_s { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63; + /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1838,7 +2266,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_2f(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -1848,20 +2276,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes); + libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes, &re->coefficients[i0]); } - return re; } /** @@ -1875,42 +2301,43 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_vector_ab( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt) { + Eurydice_slice secret_key, Eurydice_slice secret_as_ntt) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_84( - Eurydice_slice_subslice3( - secret_key, - i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *)); - secret_as_ntt[i0] = uu____0; + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_06( + Eurydice_slice_subslice3( + secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *), + &Eurydice_slice_index( + secret_as_ntt, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for -libcrux_ml_kem::ind_cpa::deserialize_then_decompress_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@1]> for libcrux_ml_kem::ind_cpa::decrypt_unpacked::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.call_mut_35 with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked.call_mut_68 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 +- VECTOR_U_ENCODED_SIZE= 960 - U_COMPRESSION_FACTOR= 10 +- V_COMPRESSION_FACTOR= 4 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_ed( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); +libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_2f(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -1920,15 +2347,15 @@ generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( - __m256i vector) { + __m256i *vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)1 << (uint32_t)(int32_t)10); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i decompressed_low = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -1942,7 +2369,7 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( __m256i decompressed_low3 = libcrux_intrinsics_avx2_mm256_srli_epi32( (int32_t)1, decompressed_low2, __m256i); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i decompressed_high = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -1957,8 +2384,8 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( (int32_t)1, decompressed_high2, __m256i); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( decompressed_low3, decompressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -1972,11 +2399,10 @@ generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_ef( - __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( - vector); + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef(vec); } /** @@ -1986,23 +2412,20 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_10_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_10_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t *); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_f5(bytes); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_ef( - coefficient); + libcrux_ml_kem_vector_avx2_deserialize_10_f5(bytes, &re->coefficients[i0]); + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_ef( + &re->coefficients[i0]); } - return re; } /** @@ -2012,16 +2435,26 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_84(serialized); + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_10_06(serialized, + output); } -typedef struct libcrux_ml_kem_vector_avx2_SIMD256Vector_x2_s { - __m256i fst; - __m256i snd; -} libcrux_ml_kem_vector_avx2_SIMD256Vector_x2; +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.montgomery_multiply_fe +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_traits_montgomery_multiply_fe_06(__m256i *v, + int16_t fer) { + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(v, fer); +} /** A monomorphic instance of libcrux_ml_kem.ntt.ntt_layer_int_vec_step @@ -2030,15 +2463,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -libcrux_ml_kem_ntt_ntt_layer_int_vec_step_84(__m256i a, __m256i b, - int16_t zeta_r) { - __m256i t = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(b, zeta_r); - b = libcrux_ml_kem_vector_avx2_sub_f5(a, &t); - a = libcrux_ml_kem_vector_avx2_add_f5(a, &t); - return (KRML_CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a, - .snd = b}); +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_layer_int_vec_step_06( + __m256i *coefficients, size_t a, size_t b, __m256i *scratch, + int16_t zeta_r) { + scratch[0U] = coefficients[b]; + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_06(scratch, zeta_r); + coefficients[b] = coefficients[a]; + libcrux_ml_kem_vector_avx2_add_f5(&coefficients[a], scratch); + libcrux_ml_kem_vector_avx2_sub_f5(&coefficients[b], scratch); } /** @@ -2048,26 +2480,21 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, - size_t layer, size_t _initial_coefficient_bound) { + size_t layer, __m256i *scratch, size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = step / (size_t)16U; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = offset / (size_t)16U; - size_t step_vec = step / (size_t)16U; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_84( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - __m256i x = uu____0.fst; - __m256i y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_ntt_ntt_layer_int_vec_step_06( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -2079,14 +2506,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); + libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -2097,14 +2524,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U)); zeta_i[0U] = zeta_i[0U] + (size_t)1U; } @@ -2117,14 +2544,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U)); @@ -2139,13 +2566,12 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - myself->coefficients[i0] = - libcrux_ml_kem_vector_avx2_barrett_reduce_f5(myself->coefficients[i0]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&myself->coefficients[i0]); } } @@ -2161,9 +2587,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { - libcrux_ml_kem_polynomial_poly_barrett_reduce_84(self); + libcrux_ml_kem_polynomial_poly_barrett_reduce_06(self); } /** @@ -2174,20 +2600,20 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_ee( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch) { size_t zeta_i = (size_t)0U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)7U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)7U, scratch, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)6U, scratch, (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)5U, scratch, (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)4U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)4U, scratch, (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_84(&zeta_i, re, (size_t)5U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_84(&zeta_i, re, (size_t)6U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_84(&zeta_i, re, (size_t)7U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84(re); + libcrux_ml_kem_ntt_ntt_at_layer_3_06(&zeta_i, re, (size_t)5U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_06(&zeta_i, re, (size_t)6U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_06(&zeta_i, re, (size_t)7U * (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06(re); } /** @@ -2204,17 +2630,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - u_as_ntt[i] = - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_ed( - &lvalue, i); - } +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed(uint8_t *ciphertext, + Eurydice_slice u_as_ntt, + __m256i *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -2232,14 +2650,17 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, uint8_t *); - u_as_ntt[i0] = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( - u_bytes); - libcrux_ml_kem_ntt_ntt_vector_u_ee(&u_as_ntt[i0]); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( + u_bytes, + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); + libcrux_ml_kem_ntt_ntt_vector_u_ee( + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); } - memcpy( - ret, u_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** @@ -2249,15 +2670,15 @@ generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( - __m256i vector) { + __m256i *vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)1 << (uint32_t)(int32_t)4); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i decompressed_low = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -2271,7 +2692,7 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( __m256i decompressed_low3 = libcrux_intrinsics_avx2_mm256_srli_epi32( (int32_t)1, decompressed_low2, __m256i); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i decompressed_high = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -2286,8 +2707,8 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( (int32_t)1, decompressed_high2, __m256i); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( decompressed_low3, decompressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -2301,11 +2722,10 @@ generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_d1( - __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( - vector); + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1(vec); } /** @@ -2315,22 +2735,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_4_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_4_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t *); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_f5(bytes); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_d1( - coefficient); + libcrux_ml_kem_vector_avx2_deserialize_4_f5(bytes, &re->coefficients[i0]); + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_d1( + &re->coefficients[i0]); } - return re; } /** @@ -2341,28 +2758,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_84(serialized); -} - -/** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO -with types libcrux_ml_kem_vector_avx2_SIMD256Vector -with const generics - -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ZERO_84(void) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; - __m256i repeat_expression[16U]; - for (size_t i = (size_t)0U; i < (size_t)16U; i++) { - repeat_expression[i] = libcrux_ml_kem_vector_avx2_ZERO_f5(); - } - memcpy(lit.coefficients, repeat_expression, (size_t)16U * sizeof(__m256i)); - return lit; + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_4_06(serialized, output); } /** @@ -2399,17 +2799,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ntt_multiply_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = - libcrux_ml_kem_polynomial_ZERO_84(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *out) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_f5( + libcrux_ml_kem_vector_avx2_ntt_multiply_f5( &myself->coefficients[i0], &rhs->coefficients[i0], + &out->coefficients[i0], libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0), libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + (size_t)1U), @@ -2418,7 +2817,6 @@ libcrux_ml_kem_polynomial_ntt_multiply_84( libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + (size_t)3U)); } - return out; } /** @@ -2433,11 +2831,11 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ntt_multiply_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { - return libcrux_ml_kem_polynomial_ntt_multiply_84(self, rhs); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *out) { + libcrux_ml_kem_polynomial_ntt_multiply_06(self, rhs, out); } /** @@ -2460,8 +2858,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ab( __m256i); i++) { size_t i0 = i; - myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_f5( - myself->coefficients[i0], &rhs->coefficients[i0]); + libcrux_ml_kem_vector_avx2_add_f5(&myself->coefficients[i0], + &rhs->coefficients[i0]); } } @@ -2490,17 +2888,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_84( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -2512,15 +2909,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_84( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -2532,15 +2928,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_84( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5( - re->coefficients[round], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -2551,17 +2945,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_84(__m256i a, - __m256i b, - int16_t zeta_r) { - __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_f5(b, &a); - a = libcrux_ml_kem_vector_avx2_barrett_reduce_f5( - libcrux_ml_kem_vector_avx2_add_f5(a, &b)); - b = libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(a_minus_b, - zeta_r); - return (KRML_CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a, - .snd = b}); +static KRML_MUSTINLINE void +libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_06( + __m256i *coefficients, size_t a, size_t b, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch, + int16_t zeta_r) { + scratch->coefficients[0U] = coefficients[a]; + scratch->coefficients[1U] = coefficients[b]; + libcrux_ml_kem_vector_avx2_add_f5(&coefficients[a], + &scratch->coefficients[1U]); + libcrux_ml_kem_vector_avx2_sub_f5(&coefficients[b], scratch->coefficients); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&coefficients[a]); + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_06(&coefficients[b], + zeta_r); } /** @@ -2572,28 +2968,22 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, - size_t layer) { + size_t layer, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = + step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = - offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - size_t step_vec = - step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_84( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - __m256i x = uu____0.fst; - __m256i y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_06( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -2606,21 +2996,22 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_84(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_84(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_84(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)4U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)5U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)6U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84(re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_06(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_06(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_06(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)4U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)5U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)6U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)7U, scratch); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06(re); } /** @@ -2630,22 +3021,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_subtract_reduce_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - b.coefficients[i0], (int16_t)1441); - __m256i diff = libcrux_ml_kem_vector_avx2_sub_f5(myself->coefficients[i0], - &coefficient_normal_form); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(diff); - b.coefficients[i0] = red; + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( + &b->coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_avx2_sub_f5(&b->coefficients[i0], + &myself->coefficients[i0]); + libcrux_ml_kem_vector_avx2_negate_f5(&b->coefficients[i0]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&b->coefficients[i0]); } - return b; } /** @@ -2660,17 +3048,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_subtract_reduce_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { - return libcrux_ml_kem_polynomial_subtract_reduce_84(self, b); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *b) { + libcrux_ml_kem_polynomial_subtract_reduce_06(self, b); } /** - The following functions compute various expressions involving - vectors and matrices. The computation of these expressions has been - abstracted away into these functions in order to save on loop iterations. Compute v − InverseNTT(sᵀ ◦ NTT(u)) */ /** @@ -2680,22 +3064,20 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_matrix_compute_message_ab( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_message_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_84(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(&secret_as_ntt[i0], - &u_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06(&secret_as_ntt[i0], + &u_as_ntt[i0], scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - return libcrux_ml_kem_polynomial_subtract_reduce_d6_84(v, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(result, scratch); + libcrux_ml_kem_polynomial_subtract_reduce_d6_06(v, result); } /** @@ -2705,9 +3087,12 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_serialize_to_unsigned_field_modulus_84(__m256i a) { - return libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5(a); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(__m256i *a, + __m256i *out) { + __m256i uu____0 = + libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5(a[0U]); + out[0U] = uu____0; } /** @@ -2718,23 +3103,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, uint8_t ret[32U]) { - uint8_t serialized[32U] = {0U}; +libcrux_ml_kem_serialize_compress_then_serialize_message_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + Eurydice_slice serialized, __m256i *scratch) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re.coefficients[i0]); - __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_compress_1_f5(coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector_avx2_serialize_1_f5(coefficient_compressed, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, uint8_t *), - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_compress_1_f5(scratch); + libcrux_ml_kem_vector_avx2_serialize_1_f5( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *)); } - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } /** @@ -2774,20 +3155,33 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *secret_key, - uint8_t *ciphertext, uint8_t ret[32U]) { + uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed(ciphertext, u_as_ntt); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u_as_ntt[i] = + libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_2f(&lvalue, i); + } + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( + ciphertext, + Eurydice_array_to_slice( + (size_t)3U, u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed( - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - uint8_t[])); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed( + Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, + uint8_t, size_t, uint8_t[]), + &v); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message = - libcrux_ml_kem_matrix_compute_message_ab(&v, secret_key->secret_as_ntt, - u_as_ntt); - uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_84(message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_matrix_compute_message_ab(&v, secret_key->secret_as_ntt, + u_as_ntt, &message, scratch); + libcrux_ml_kem_serialize_compress_then_serialize_message_06( + &message, decrypted, scratch->coefficients); } /** @@ -2802,69 +3196,94 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_2f( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { + Eurydice_slice secret_key, uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 secret_key_unpacked; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret0[3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_2f(&lvalue, i); + ret[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_2f(&lvalue, i); } memcpy( - secret_key_unpacked.secret_as_ntt, ret0, + secret_key_unpacked.secret_as_ntt, ret, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); libcrux_ml_kem_ind_cpa_deserialize_vector_ab( - secret_key, secret_key_unpacked.secret_as_ntt); - uint8_t ret1[32U]; + secret_key, Eurydice_array_to_slice( + (size_t)3U, secret_key_unpacked.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f(&secret_key_unpacked, ciphertext, - ret1); - memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); + decrypted, scratch); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.G_41 +A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF with const generics -- K= 3 +- LEN= 32 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_slice input, uint8_t ret[64U]) { - libcrux_ml_kem_hash_functions_avx2_G(input, ret); +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +/** +A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_26 with const generics - LEN= 32 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_9e( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_26_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_avx2_PRF_9e(input, out); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_41 +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate.call_mut_5f +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 -- LEN= 32 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_41_41( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_avx2_PRF_9e(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_57(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -2872,50 +3291,46 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.IndCpaPublicKeyUnpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63_s { +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0_s { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 t_as_ntt[3U]; uint8_t seed_for_A[32U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[9U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0; /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_8b +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_50 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(void) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_84(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_06(); } uint8_t uu____1[32U] = {0U}; - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression0[3U][3U]; - for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_84(); - } - memcpy(repeat_expression0[i0], repeat_expression, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_06(); } - memcpy(lit.A, repeat_expression0, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + memcpy( + lit.A, repeat_expression, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); return lit; } @@ -2932,26 +3347,26 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(coefficient); + libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes, &re->coefficients[i0]); + libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(&re->coefficients[i0]); } - return re; } /** - See [deserialize_ring_elements_reduced_out]. + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. */ /** A monomorphic instance of @@ -2962,8 +3377,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { + Eurydice_slice public_key, Eurydice_slice deserialized_pk) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2974,101 +3388,15 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t *); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_84( - ring_element); - deserialized_pk[i0] = uu____0; + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_06( + ring_element, + &Eurydice_slice_index( + deserialized_pk, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 -libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0( - uint8_t (*input)[34U]) { - libcrux_sha3_generic_keccak_KeccakState_55 state = - libcrux_sha3_avx2_x4_incremental_init(); - libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - &state, Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t), - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t), - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t)); - return state; -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_41 with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 -libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_41_e0( - uint8_t (*input)[34U]) { - return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0( - input); -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with -const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *st, uint8_t ret[3U][504U]) { - uint8_t out[3U][504U] = {{0U}}; - uint8_t out0[504U] = {0U}; - uint8_t out1[504U] = {0U}; - uint8_t out2[504U] = {0U}; - uint8_t out3[504U] = {0U}; - libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), - Eurydice_array_to_slice((size_t)504U, out1, uint8_t), - Eurydice_array_to_slice((size_t)504U, out2, uint8_t), - Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); - uint8_t uu____0[504U]; - memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____1[504U]; - memcpy(uu____1, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____1, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____2[504U]; - memcpy(uu____2, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____2, (size_t)504U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_41 with -const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_41_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *self, uint8_t ret[3U][504U]) { - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0( - self, ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -3120,32 +3448,41 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( - uint8_t (*randomness)[504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[504U], uint8_t(*)[504U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_f5( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -3154,55 +3491,6 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( return done; } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *st, uint8_t ret[3U][168U]) { - uint8_t out[3U][168U] = {{0U}}; - uint8_t out0[168U] = {0U}; - uint8_t out1[168U] = {0U}; - uint8_t out2[168U] = {0U}; - uint8_t out3[168U] = {0U}; - libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), - Eurydice_array_to_slice((size_t)168U, out1, uint8_t), - Eurydice_array_to_slice((size_t)168U, out2, uint8_t), - Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); - uint8_t uu____0[168U]; - memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____1[168U]; - memcpy(uu____1, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____1, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____2[168U]; - memcpy(uu____2, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____2, (size_t)168U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_41 with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_41_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *self, uint8_t ret[3U][168U]) { - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0(self, ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -3254,32 +3542,41 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( - uint8_t (*randomness)[168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[168U], uint8_t(*)[168U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_f5( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -3288,6 +3585,41 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( return done; } +/** +A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_sha3_generic_keccak_KeccakState_55 xof_state = + libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_26(seeds); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_26( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); + bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); + while (true) { + if (done) { + break; + } else { + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_26( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); + done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); + } + } +} + /** A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3295,18 +3627,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_from_i16_array_84(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_84(); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_06( + Eurydice_slice a, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - result.coefficients[i0] = - libcrux_ml_kem_vector_avx2_from_i16_array_f5(Eurydice_slice_subslice3( - a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t *)); + libcrux_ml_kem_vector_avx2_from_i16_array_f5( + Eurydice_slice_subslice3(a, i0 * (size_t)16U, + (i0 + (size_t)1U) * (size_t)16U, int16_t *), + &result->coefficients[i0]); } - return result; } /** @@ -3321,77 +3652,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_from_i16_array_d6_84(Eurydice_slice a) { - return libcrux_ml_kem_polynomial_from_i16_array_84(a); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_6c( - void **_, int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return libcrux_ml_kem_polynomial_from_i16_array_d6_84( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); -} - -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - libcrux_sha3_generic_keccak_KeccakState_55 xof_state = - libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_41_e0( - seeds); - uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_41_e0( - &xof_state, randomness0); - bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( - randomness0, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_41_e0( - &xof_state, randomness); - done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( - randomness, sampled_coefficients, out); - } - } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret0[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_6c( - &lvalue, copy_of_out[i]); - } - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_slice a, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *out) { + libcrux_ml_kem_polynomial_from_i16_array_06(a, out); } /** @@ -3402,35 +3665,51 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_6c( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*A_transpose)[3U], - uint8_t *seed, bool transpose) { + Eurydice_slice A_transpose, uint8_t *seed, bool transpose) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_6c(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; + int16_t out[3U][272U] = {{0U}}; + libcrux_ml_kem_sampling_sample_from_xof_6c( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____1, &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____2, &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } } @@ -3441,137 +3720,31 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa( +libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_b4( Eurydice_slice public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - uu____0, unpacked_public_key->t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); libcrux_ml_kem_matrix_sample_matrix_A_6c(uu____1, ret, false); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -- T_AS_NTT_ENCODED_SIZE= 1152 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_fa( - Eurydice_slice public_key) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 - unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa(public_key, - &unpacked_public_key); - return unpacked_public_key; -} - -/** -A monomorphic instance of K. -with types libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_avx2_SIMD256Vector[3size_t], -libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_avx2_SIMD256Vector - -*/ -typedef struct tuple_ed0_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 fst[3U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 snd; -} tuple_ed0; - -/** -This function found in impl {core::ops::function::FnMut<(usize), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_f1 -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -- C1_LEN= 960 -- U_COMPRESSION_FACTOR= 10 -- BLOCK_LEN= 320 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 -- ETA2= 2 -- ETA2_RANDOMNESS_SIZE= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_48(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRFxN -with const generics -- K= 3 -- LEN= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - uint8_t out[3U][128U] = {{0U}}; - uint8_t out0[128U] = {0U}; - uint8_t out1[128U] = {0U}; - uint8_t out2[128U] = {0U}; - uint8_t out3[128U] = {0U}; - libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), - Eurydice_array_to_slice((size_t)128U, out0, uint8_t), - Eurydice_array_to_slice((size_t)128U, out1, uint8_t), - Eurydice_array_to_slice((size_t)128U, out2, uint8_t), - Eurydice_array_to_slice((size_t)128U, out3, uint8_t)); - uint8_t uu____0[128U]; - memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____1[128U]; - memcpy(uu____1, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____1, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____2[128U]; - memcpy(uu____2, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____2, (size_t)128U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRFxN_41 -with const generics -- K= 3 -- LEN= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_41_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - libcrux_ml_kem_hash_functions_avx2_PRFxN_41(input, ret); -} - /** Given a series of uniformly random bytes in `randomness`, for some number `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring @@ -3628,10 +3801,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_84( - Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; +static KRML_MUSTINLINE void +libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_06( + Eurydice_slice randomness, Eurydice_slice sampled_i16s) { for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; @@ -3661,11 +3833,10 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_84( int16_t outcome_2 = (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); size_t offset = (size_t)(outcome_set0 >> 2U); - sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; + Eurydice_slice_index(sampled_i16s, (size_t)8U * chunk_number + offset, + int16_t, int16_t *) = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_d6_84( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3675,11 +3846,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - ETA= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_slice randomness) { - return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_84( - randomness); + Eurydice_slice randomness, int16_t *output) { + libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_06( + randomness, Eurydice_array_to_slice((size_t)256U, output, int16_t)); } /** @@ -3689,17 +3860,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; i < step; i++) { size_t j = i; - __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_f5( - re->coefficients[j + step], (int16_t)-1600); - re->coefficients[j + step] = - libcrux_ml_kem_vector_avx2_sub_f5(re->coefficients[j], &t); - re->coefficients[j] = - libcrux_ml_kem_vector_avx2_add_f5(re->coefficients[j], &t); + scratch[0U] = re->coefficients[j + step]; + libcrux_ml_kem_vector_avx2_multiply_by_constant_f5(scratch, (int16_t)-1600); + re->coefficients[j + step] = re->coefficients[j]; + libcrux_ml_kem_vector_avx2_add_f5(&re->coefficients[j], scratch); + libcrux_ml_kem_vector_avx2_sub_f5(&re->coefficients[j + step], scratch); } } @@ -3711,23 +3881,24 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { - libcrux_ml_kem_ntt_ntt_at_layer_7_84(re); +libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch) { + libcrux_ml_kem_ntt_ntt_at_layer_7_06(re, scratch); size_t zeta_i = (size_t)1U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)6U, scratch, (size_t)11207U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)5U, scratch, (size_t)11207U + (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84( - &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_84( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06( + &zeta_i, re, (size_t)4U, scratch, + (size_t)11207U + (size_t)2U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_3_06( &zeta_i, re, (size_t)11207U + (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_84( + libcrux_ml_kem_ntt_ntt_at_layer_2_06( &zeta_i, re, (size_t)11207U + (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_84( + libcrux_ml_kem_ntt_ntt_at_layer_1_06( &zeta_i, re, (size_t)11207U + (size_t)5U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06(re); } /** @@ -3741,27 +3912,46 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 - ETA= 2 - ETA_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re_as_ntt, - uint8_t *prf_input, uint8_t domain_separator) { +libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb(Eurydice_slice re_as_ntt, + uint8_t *prf_input, + uint8_t domain_separator, + __m256i *scratch) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_avx2_PRFxN_41_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRFxN_26( + Eurydice_array_to_slice((size_t)3U, prf_inputs, uint8_t[33U]), + Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - re_as_ntt[i0] = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_84(&re_as_ntt[i0]); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + int16_t sample_buffer[256U] = {0U}; + libcrux_ml_kem_sampling_sample_from_binomial_distribution_89(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_06( + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); } return domain_separator; } @@ -3769,16 +3959,17 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_77 with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -3786,11 +3977,13 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_48(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_a1(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -3803,27 +3996,41 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 - ETA2_RANDOMNESS_SIZE= 128 - ETA2= 2 +- PRF_OUTPUT_SIZE= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4( - uint8_t *prf_input, uint8_t domain_separator, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_1) { +libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_cb(uint8_t *prf_input, + uint8_t domain_separator, + Eurydice_slice error_1, + int16_t *sample_buffer) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_avx2_PRFxN_41_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + Eurydice_slice uu____1 = core_array___Array_T__N___as_slice( + (size_t)3U, prf_inputs, uint8_t[33U], Eurydice_slice); + libcrux_ml_kem_hash_functions_avx2_PRFxN_26( + uu____1, Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - error_1[i0] = uu____0; + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_89(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + error_1, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } return domain_separator; } @@ -3835,46 +4042,68 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_a6( - Eurydice_slice input, uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for +This function found in impl {libcrux_ml_kem::hash_functions::Hash for libcrux_ml_kem::hash_functions::avx2::Simd256Hash} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_41 +A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_26 with const generics -- K= 3 - LEN= 128 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_41_410( - Eurydice_slice input, uint8_t ret[128U]) { - libcrux_ml_kem_hash_functions_avx2_PRF_a6(input, ret); +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_26_a6( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_avx2_PRF_a6(input, out); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for libcrux_ml_kem::matrix::compute_vector_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.call_mut_a8 +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_88 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +- K_SQUARED= 9 +- C1_LEN= 960 +- U_COMPRESSION_FACTOR= 10 +- BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_a1(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); +} + +/** +A monomorphic instance of libcrux_ml_kem.matrix.entry with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_ab(void **_, - size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 * +libcrux_ml_kem_matrix_entry_ab(Eurydice_slice matrix, size_t i, size_t j) { + return &Eurydice_slice_index( + matrix, i * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *); } /** @@ -3884,19 +4113,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - myself->coefficients[j], (int16_t)1441); - __m256i sum = libcrux_ml_kem_vector_avx2_add_f5(coefficient_normal_form, - &error->coefficients[j]); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( + &myself->coefficients[j], (int16_t)1441); + libcrux_ml_kem_vector_avx2_add_f5(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&myself->coefficients[j]); } } @@ -3912,10 +4139,10 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { - libcrux_ml_kem_polynomial_add_error_reduce_84(self, error); + libcrux_ml_kem_polynomial_add_error_reduce_06(self, error); } /** @@ -3929,46 +4156,40 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - result[i] = - libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_ab(&lvalue, i); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]); - i0++) { + Eurydice_slice a_as_ntt, Eurydice_slice r_as_ntt, Eurydice_slice error_1, + Eurydice_slice result, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = a_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); - i++) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result[i1], - &product); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = + libcrux_ml_kem_matrix_entry_ab(a_as_ntt, i1, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06( + uu____0, + &Eurydice_slice_index( + r_as_ntt, j, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_d6_84(&result[i1], &error_1[i1]); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); + libcrux_ml_kem_polynomial_add_error_reduce_d6_06( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + &Eurydice_slice_index( + error_1, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } - memcpy( - ret, result, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** @@ -3978,9 +4199,9 @@ generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( - __m256i vector) { + __m256i *vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -3989,7 +4210,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( __m256i coefficient_bits_mask = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)1 << (uint32_t)(int32_t)10) - (int32_t)1); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i compressed_low = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4004,7 +4225,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( __m256i compressed_low3 = libcrux_intrinsics_avx2_mm256_and_si256( compressed_low2, coefficient_bits_mask); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i compressed_high = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4020,8 +4241,8 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( compressed_high2, coefficient_bits_mask); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( compressed_low3, compressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -4030,9 +4251,9 @@ with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_ef(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_ef( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( vector); } @@ -4046,9 +4267,9 @@ with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_f5_ef(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_ef(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_f5_ef( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_ef(vec); } /** @@ -4060,22 +4281,19 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_10_0e( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + Eurydice_slice serialized, __m256i *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_f5_ef( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re->coefficients[i0])); - uint8_t bytes[20U]; - libcrux_ml_kem_vector_avx2_serialize_10_f5(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)20U * i0, - (size_t)20U * i0 + (size_t)20U, uint8_t *), - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_compress_f5_ef(scratch); + libcrux_ml_kem_vector_avx2_serialize_10_f5( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)20U * i0, + (size_t)20U * i0 + (size_t)20U, uint8_t *)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -4088,10 +4306,10 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10_0e(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + Eurydice_slice serialized, __m256i *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_10_0e(re, serialized, + scratch); } /** @@ -4109,7 +4327,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 input[3U], - Eurydice_slice out) { + Eurydice_slice out, __m256i *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4119,14 +4337,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *); - uint8_t ret[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4(&re, - ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4( + &re, + Eurydice_slice_subslice3( + out, i0 * ((size_t)960U / (size_t)3U), + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *), + scratch); } } @@ -4135,6 +4351,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -4142,56 +4359,81 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_ed0 libcrux_ml_kem_ind_cpa_encrypt_c1_48( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c1_a1( Eurydice_slice randomness, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*matrix)[3U], - Eurydice_slice ciphertext) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(randomness, prf_input); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - r_as_ntt[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_48(&lvalue, i); - } uint8_t domain_separator0 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4(r_as_ntt, prf_input, - 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb( + r_as_ntt, prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_48(&lvalue, i); + error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_a1(&lvalue, i); } - uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4( - prf_input, domain_separator0, error_1); + int16_t sampling_buffer[256U] = {0U}; + uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_cb( + prf_input, domain_separator0, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + sampling_buffer); prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - libcrux_ml_kem_hash_functions_avx2_PRF_41_410( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + uint8_t prf_output[128U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRF_26_a6( + Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t), + sampling_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_array_to_slice((size_t)256U, sampling_buffer, int16_t), error_2); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u[3U]; - libcrux_ml_kem_matrix_compute_vector_u_ab(matrix, r_as_ntt, error_1, u); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; - memcpy( - uu____0, u, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c(uu____0, ciphertext); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_a1(&lvalue, i); + } + libcrux_ml_kem_matrix_compute_vector_u_ab( + Eurydice_array_to_slice( + (size_t)9U, matrix, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + r_as_ntt, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + Eurydice_array_to_slice( + (size_t)3U, u, libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + scratch); /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 copy_of_r_as_ntt[3U]; - memcpy( - copy_of_r_as_ntt, r_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - tuple_ed0 lit; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 copy_of_u[3U]; memcpy( - lit.fst, copy_of_r_as_ntt, + copy_of_u, u, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - lit.snd = error_2; - return lit; + libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c(copy_of_u, ciphertext, + scratch->coefficients); +} + +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.decompress_1 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_vector_traits_decompress_1_06( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_negate_f5(vec); + libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_f5(vec, (int16_t)1665); } /** @@ -4201,21 +4443,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_message_84( - uint8_t *serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_message_06( + uint8_t *serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_deserialize_1_f5(Eurydice_array_to_subslice3( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, - uint8_t *)); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_1_f5(coefficient_compressed); + libcrux_ml_kem_vector_avx2_deserialize_1_f5( + Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *), + &re->coefficients[i0]); + libcrux_ml_kem_vector_traits_decompress_1_06(&re->coefficients[i0]); } - return re; } /** @@ -4225,25 +4464,22 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_add_message_error_reduce_84( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + __m256i *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - result.coefficients[i0], (int16_t)1441); - __m256i sum1 = libcrux_ml_kem_vector_avx2_add_f5( - myself->coefficients[i0], &message->coefficients[i0]); - __m256i sum2 = - libcrux_ml_kem_vector_avx2_add_f5(coefficient_normal_form, &sum1); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(sum2); - result.coefficients[i0] = red; + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( + &result->coefficients[i0], (int16_t)1441); + scratch[0U] = myself->coefficients[i0]; + libcrux_ml_kem_vector_avx2_add_f5(scratch, &message->coefficients[i0]); + libcrux_ml_kem_vector_avx2_add_f5(&result->coefficients[i0], scratch); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&result->coefficients[i0]); } - return result; } /** @@ -4258,13 +4494,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_add_message_error_reduce_d6_84( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { - return libcrux_ml_kem_polynomial_add_message_error_reduce_84(self, message, - result); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + __m256i *scratch) { + libcrux_ml_kem_polynomial_add_message_error_reduce_06(self, message, result, + scratch); } /** @@ -4277,24 +4514,26 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_matrix_compute_ring_element_v_ab( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_ring_element_v_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_84(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(&t_as_ntt[i0], - &r_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06( + &t_as_ntt[i0], + &Eurydice_slice_index( + r_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - return libcrux_ml_kem_polynomial_add_message_error_reduce_d6_84( - error_2, message, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(result, scratch); + libcrux_ml_kem_polynomial_add_message_error_reduce_d6_06( + error_2, message, result, scratch->coefficients); } /** @@ -4304,9 +4543,9 @@ generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( - __m256i vector) { + __m256i *vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -4315,7 +4554,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( __m256i coefficient_bits_mask = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)1 << (uint32_t)(int32_t)4) - (int32_t)1); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i compressed_low = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4330,7 +4569,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( __m256i compressed_low3 = libcrux_intrinsics_avx2_mm256_and_si256( compressed_low2, coefficient_bits_mask); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i compressed_high = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4346,8 +4585,8 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( compressed_high2, coefficient_bits_mask); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( compressed_low3, compressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -4356,9 +4595,9 @@ with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_d1(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_d1( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( vector); } @@ -4372,9 +4611,9 @@ with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_f5_d1(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_d1(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_f5_d1( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_d1(vec); } /** @@ -4385,21 +4624,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_4_84( +libcrux_ml_kem_serialize_compress_then_serialize_4_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, - Eurydice_slice serialized) { + Eurydice_slice serialized, __m256i *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_f5_d1( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re.coefficients[i0])); - uint8_t bytes[8U]; - libcrux_ml_kem_vector_avx2_serialize_4_f5(coefficient, bytes); - Eurydice_slice_copy( + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re.coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_compress_f5_d1(scratch); + libcrux_ml_kem_vector_avx2_serialize_4_f5( + scratch, Eurydice_slice_subslice3(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t *), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); + (size_t)8U * i0 + (size_t)8U, uint8_t *)); } } @@ -4414,8 +4651,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ed( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) { - libcrux_ml_kem_serialize_compress_then_serialize_4_84(re, out); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out, + __m256i *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_4_06(re, out, scratch); } /** @@ -4429,16 +4667,20 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c2_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, - uint8_t *message, Eurydice_slice ciphertext) { + uint8_t *message, Eurydice_slice ciphertext, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_84(message); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_serialize_deserialize_then_decompress_message_06( + message, &message_as_ring_element); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = - libcrux_ml_kem_matrix_compute_ring_element_v_ab( - t_as_ntt, r_as_ntt, error_2, &message_as_ring_element); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_matrix_compute_ring_element_v_ab( + t_as_ntt, r_as_ntt, error_2, &message_as_ring_element, &v, scratch); libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ed( - v, ciphertext); + v, ciphertext, scratch->coefficients); } /** @@ -4487,6 +4729,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4498,31 +4741,25 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_74( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *public_key, - uint8_t *message, Eurydice_slice randomness, uint8_t ret[1088U]) { - uint8_t ciphertext[1088U] = {0U}; - tuple_ed0 uu____0 = libcrux_ml_kem_ind_cpa_encrypt_c1_48( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_67( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *public_key, + uint8_t *message, Eurydice_slice randomness, Eurydice_slice ciphertext, + Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + libcrux_ml_kem_ind_cpa_encrypt_c1_a1( randomness, public_key->A, - Eurydice_array_to_subslice3(ciphertext, (size_t)0U, (size_t)960U, - uint8_t *)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; - memcpy( - r_as_ntt, uu____0.fst, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____1 = - public_key->t_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____2 = r_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____3 = &error_2; - uint8_t *uu____4 = message; + Eurydice_slice_subslice3(ciphertext, (size_t)0U, (size_t)960U, uint8_t *), + r_as_ntt, error_2, scratch); libcrux_ml_kem_ind_cpa_encrypt_c2_ed( - uu____1, uu____2, uu____3, uu____4, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, uint8_t[])); - memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); + public_key->t_as_ntt, r_as_ntt, error_2, message, + Eurydice_slice_subslice_from(ciphertext, (size_t)960U, uint8_t, size_t, + uint8_t[]), + scratch); } /** @@ -4530,6 +4767,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4541,18 +4779,22 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_74( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_67( Eurydice_slice public_key, uint8_t *message, Eurydice_slice randomness, - uint8_t ret[1088U]) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 - unpacked_public_key = - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_fa(public_key); - uint8_t ret0[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_74(&unpacked_public_key, message, - randomness, ret0); - memcpy(ret, ret0, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 + unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_b4(public_key, + &unpacked_public_key); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_67(&unpacked_public_key, message, + randomness, ciphertext, r_as_ntt, + error_2, scratch); } /** @@ -4568,11 +4810,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_ae( - Eurydice_slice shared_secret, uint8_t *_, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - shared_secret, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice shared_secret, uint8_t *_, Eurydice_slice out) { + Eurydice_slice_copy(out, shared_secret, uint8_t); } /** @@ -4584,6 +4823,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4598,10 +4838,12 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_57( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -4611,9 +4853,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( Eurydice_slice ind_cpa_public_key = uu____0.snd; Eurydice_slice ind_cpa_public_key_hash = uu____0.thd; Eurydice_slice implicit_rejection_value = uu____0.f3; - uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_2f(ind_cpa_secret_key, ciphertext->value, - decrypted); + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_decrypt_2f( + ind_cpa_secret_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -4622,9 +4867,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t, uint8_t[]), ind_cpa_public_key_hash, uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -4638,38 +4884,54 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret0[32U]; - libcrux_ml_kem_hash_functions_avx2_PRF_41_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRF_26_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret0); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_74(ind_cpa_public_key, decrypted, - pseudorandomness, expected_ciphertext); - uint8_t implicit_rejection_shared_secret[32U]; + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_57(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_67( + ind_cpa_public_key, decrypted, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); + uint8_t implicit_rejection_shared_secret_kdf[32U] = {0U}; libcrux_ml_kem_variant_kdf_39_ae( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; + ciphertext->value, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, + uint8_t)); + uint8_t shared_secret_kdf[32U] = {0U}; libcrux_ml_kem_variant_kdf_39_ae( - shared_secret0, libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - shared_secret); - uint8_t ret0[32U]; + shared_secret0, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t)); + uint8_t shared_secret[32U] = {0U}; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t), + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t), - ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t)); + memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4684,20 +4946,23 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_avx2 with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_35( +libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_a1(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_57(private_key, ciphertext, ret); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4712,13 +4977,15 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_35( +static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_35( + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_54( private_key, ciphertext, ret); } @@ -4733,7 +5000,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_35(private_key, + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_54(private_key, ciphertext, ret); } @@ -4748,27 +5015,48 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_be( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - randomness, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_3f( + Eurydice_slice randomness, Eurydice_slice out) { + Eurydice_slice_copy(out, randomness, uint8_t); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::encapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.H_41 +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate.call_mut_c0 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H_41_e0( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_avx2_H(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_a1(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -4777,6 +5065,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4789,50 +5078,70 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_a1( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - uint8_t randomness0[32U]; - libcrux_ml_kem_variant_entropy_preprocess_39_be( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); + uint8_t processed_randomness[32U] = {0U}; + libcrux_ml_kem_variant_entropy_preprocess_39_3f( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t)); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, uint8_t[]); - uint8_t ret0[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( - Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_e6_d0(public_key), - uint8_t), - ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t), + to_hash); + Eurydice_slice uu____0 = Eurydice_array_to_slice( + (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t); + libcrux_ml_kem_hash_functions_avx2_H_26( + uu____0, Eurydice_array_to_subslice_from( + (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t, size_t, uint8_t[])); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_74( + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext = + libcrux_ml_kem_types_default_73_80(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_a1(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_67( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - randomness0, pseudorandomness, ciphertext); + processed_randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext.value, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); + uint8_t shared_secret_array[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_ae( + shared_secret, ciphertext.value, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____2 = ciphertext; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_ciphertext[1088U]; - memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_c2 lit; - lit.fst = libcrux_ml_kem_types_from_e0_80(copy_of_ciphertext); - uint8_t ret[32U]; - libcrux_ml_kem_variant_kdf_39_ae(shared_secret, ciphertext, ret); - memcpy(lit.snd, ret, (size_t)32U * sizeof(uint8_t)); + lit.fst = uu____2; + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -4840,6 +5149,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4852,18 +5162,21 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_avx2 with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_cd( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_encapsulate_70(public_key, randomness); + return libcrux_ml_kem_ind_cca_encapsulate_a1(public_key, randomness); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4876,12 +5189,14 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_cd( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_cd( + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_35( public_key, randomness); } @@ -4896,7 +5211,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_cd(public_key, + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_35(public_key, randomness); } @@ -4917,7 +5232,7 @@ libcrux_ml_kem_ind_cpa_unpacked_default_70_ab(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 lit; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_84(); + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_06(); } memcpy( lit.secret_as_ntt, repeat_expression, @@ -4936,8 +5251,8 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_be( - Eurydice_slice key_generation_seed, uint8_t ret[64U]) { +static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_3f( + Eurydice_slice key_generation_seed, Eurydice_slice out) { uint8_t seed[33U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_subslice3( @@ -4946,10 +5261,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_be( key_generation_seed, uint8_t); seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = (uint8_t)(size_t)3U; - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)33U, seed, uint8_t), out); } /** @@ -4957,24 +5270,27 @@ This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@3]> for libcrux_ml_kem::ind_cpa::generate_keypair_unpacked::closure[TraitClause@0, TraitClause@1, -TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +Scheme, K, K_SQUARED, ETA1, ETA1_RANDOMNESS_SIZE, +PRF_OUTPUT_SIZE1>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3, +TraitClause@4, TraitClause@5]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_73 with types +libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_ae with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_22( +libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_5d( void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -4984,9 +5300,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_polynomial_to_standard_domain_84(__m256i vector) { - return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_to_standard_domain_06( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( vector, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -4999,19 +5315,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_84( +libcrux_ml_kem_polynomial_add_standard_error_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_polynomial_to_standard_domain_84( - myself->coefficients[j]); - __m256i sum = libcrux_ml_kem_vector_avx2_add_f5(coefficient_normal_form, - &error->coefficients[j]); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_polynomial_to_standard_domain_06(&myself->coefficients[j]); + libcrux_ml_kem_vector_avx2_add_f5(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&myself->coefficients[j]); } } @@ -5028,10 +5341,10 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_84( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { - libcrux_ml_kem_polynomial_add_standard_error_reduce_84(self, error); + libcrux_ml_kem_polynomial_add_standard_error_reduce_06(self, error); } /** @@ -5046,38 +5359,25 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*matrix_A)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_as_ntt) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]); - i++) { + Eurydice_slice matrix_A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *s_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_ZERO_d6_84(); + libcrux_ml_kem_polynomial_ZERO_d6_06(); t_as_ntt[i0] = uu____0; - for (size_t i1 = (size_t)0U; - i1 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); - i1++) { + for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { size_t j = i1; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = - &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(matrix_element, - &s_as_ntt[j]); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____1 = + libcrux_ml_kem_matrix_entry_ab(matrix_A, i0, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06(uu____1, &s_as_ntt[j], + scratch); libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&t_as_ntt[i0], - &product); + scratch); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_84( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_06( &t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -5129,23 +5429,29 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_5d( Eurydice_slice key_generation_seed, libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *private_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *public_key) { - uint8_t hashed[64U]; - libcrux_ml_kem_variant_cpa_keygen_seed_39_be(key_generation_seed, hashed); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_variant_cpa_keygen_seed_39_3f( + key_generation_seed, + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] = - public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed_for_A, ret); libcrux_ml_kem_matrix_sample_matrix_A_6c(uu____1, ret, true); @@ -5153,21 +5459,30 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( libcrux_ml_kem_utils_into_padded_array_c8(seed_for_secret_and_error, prf_input); uint8_t domain_separator = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( - private_key->secret_as_ntt, prf_input, 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb( + Eurydice_array_to_slice( + (size_t)3U, private_key->secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; error_as_ntt[i] = - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_22(&lvalue, + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_5d(&lvalue, i); } - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4(error_as_ntt, prf_input, - domain_separator); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb( + Eurydice_array_to_slice( + (size_t)3U, error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + prf_input, domain_separator, scratch->coefficients); libcrux_ml_kem_matrix_compute_As_plus_e_ab( - public_key->t_as_ntt, public_key->A, private_key->secret_as_ntt, - error_as_ntt); + public_key->t_as_ntt, + Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + private_key->secret_as_ntt, error_as_ntt, scratch); uint8_t uu____2[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U], @@ -5184,22 +5499,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[384U]) { - uint8_t serialized[384U] = {0U}; +libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re->coefficients[i0]); - uint8_t bytes[24U]; - libcrux_ml_kem_vector_avx2_serialize_12_f5(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)24U * i0, - (size_t)24U * i0 + (size_t)24U, uint8_t *), - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_serialize_12_f5( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)24U * i0, + (size_t)24U * i0 + (size_t)24U, uint8_t *)); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } /** @@ -5213,8 +5525,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *key, - Eurydice_slice out) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *key, Eurydice_slice out, + __m256i *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -5224,14 +5536,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_ab( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = key[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *); - uint8_t ret[384U]; - libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_84(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)384U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_06( + &re, scratch, + Eurydice_slice_subslice3( + out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *)); } } @@ -5248,41 +5558,22 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t *serialized) { + Eurydice_slice seed_for_a, Eurydice_slice serialized, __m256i *scratch) { libcrux_ml_kem_ind_cpa_serialize_vector_ab( t_as_ntt, - Eurydice_array_to_subslice3( + Eurydice_slice_subslice3( serialized, (size_t)0U, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t *)); + uint8_t *), + scratch); Eurydice_slice_copy( - Eurydice_array_to_subslice_from( - (size_t)1184U, serialized, + Eurydice_slice_subslice_from( + serialized, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), uint8_t, size_t, uint8_t[]), seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key -with types libcrux_ml_kem_vector_avx2_SIMD256Vector -with const generics -- K= 3 -- PUBLIC_KEY_SIZE= 1184 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_ed( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t ret[1184U]) { - uint8_t public_key_serialized[1184U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed(t_as_ntt, seed_for_a, - public_key_serialized); - memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); -} - /** Serialize the secret key from the unpacked key pair generation. */ @@ -5291,37 +5582,22 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_unpacked_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_ed( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *private_key) { - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( +static inline void libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_8c( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *public_key, + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *private_key, + Eurydice_slice serialized_private_key, Eurydice_slice serialized_public_key, + __m256i *scratch) { + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( public_key->t_as_ntt, Eurydice_array_to_slice((size_t)32U, public_key->seed_for_A, uint8_t), - public_key_serialized); - uint8_t secret_key_serialized[1152U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_vector_ab( - private_key->secret_as_ntt, - Eurydice_array_to_slice((size_t)1152U, secret_key_serialized, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_secret_key_serialized[1152U]; - memcpy(copy_of_secret_key_serialized, secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_public_key_serialized[1184U]; - memcpy(copy_of_public_key_serialized, public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, copy_of_secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - return lit; + serialized_public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_vector_ab(private_key->secret_as_ntt, + serialized_private_key, scratch); } /** @@ -5330,22 +5606,28 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_generate_keypair_5d(Eurydice_slice key_generation_seed) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_d6( + Eurydice_slice key_generation_seed, + Eurydice_slice serialized_ind_cpa_private_key, + Eurydice_slice serialized_public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 private_key = libcrux_ml_kem_ind_cpa_unpacked_default_70_ab(); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 public_key = - libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( - key_generation_seed, &private_key, &public_key); - return libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_ed(&public_key, - &private_key); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 public_key = + libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_5d( + key_generation_seed, &private_key, &public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_8c( + &public_key, &private_key, serialized_ind_cpa_private_key, + serialized_public_key, scratch->coefficients); } /** @@ -5382,42 +5664,23 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae( uint8_t *), public_key, uint8_t); pointer = pointer + Eurydice_slice_len(public_key, uint8_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice3( - serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, - uint8_t *); - uint8_t ret[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0(public_key, ret); - Eurydice_slice_copy( - uu____6, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); + libcrux_ml_kem_hash_functions_avx2_H_26( + public_key, + Eurydice_array_to_subslice3( + serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t *)); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = serialized; + uint8_t *uu____6 = serialized; + size_t uu____7 = pointer; size_t uu____8 = pointer; - size_t uu____9 = pointer; Eurydice_slice_copy( Eurydice_array_to_subslice3( - uu____7, uu____8, - uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uu____6, uu____7, + uu____8 + Eurydice_slice_len(implicit_rejection_value, uint8_t), uint8_t *), implicit_rejection_value, uint8_t); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key -with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash -with const generics -- K= 3 -- SERIALIZED_KEY_LEN= 2400 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_ae( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { - uint8_t out[2400U] = {0U}; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae( - private_key, public_key, implicit_rejection_value, out); - memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); -} - /** Packed API @@ -5432,15 +5695,17 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_bb(uint8_t *randomness) { +libcrux_ml_kem_ind_cca_generate_keypair_13(uint8_t *randomness) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( randomness, (size_t)0U, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t *); @@ -5448,14 +5713,16 @@ libcrux_ml_kem_ind_cca_generate_keypair_bb(uint8_t *randomness) { (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_generate_keypair_5d(ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t public_key[1184U]; - memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - uint8_t secret_key_serialized[2400U]; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_ae( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_generate_keypair_d6( + ind_cpa_keypair_randomness, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + uint8_t secret_key_serialized[2400U] = {0U}; + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); @@ -5465,12 +5732,12 @@ libcrux_ml_kem_ind_cca_generate_keypair_bb(uint8_t *randomness) { (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = libcrux_ml_kem_types_from_77_28(copy_of_secret_key_serialized); - libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; + libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____1 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_17_74( - uu____2, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); + uu____1, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); } /** @@ -5481,34 +5748,38 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_generate_keypair_bb(randomness); + return libcrux_ml_kem_ind_cca_generate_keypair_13(randomness); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_ce( + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_06( randomness); } @@ -5518,7 +5789,7 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_ce( KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_ce( + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_06( randomness); } @@ -5537,12 +5808,12 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_ae( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - uint8_t t[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( + uint8_t t[32U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_H_26( Eurydice_array_to_subslice3(private_key->value, (size_t)384U * (size_t)3U, (size_t)768U * (size_t)3U + (size_t)32U, uint8_t *), - t); + Eurydice_array_to_slice((size_t)32U, t, uint8_t)); Eurydice_slice expected = Eurydice_array_to_subslice3( private_key->value, (size_t)768U * (size_t)3U + (size_t)32U, (size_t)768U * (size_t)3U + (size_t)64U, uint8_t *); @@ -5651,52 +5922,21 @@ static inline bool libcrux_ml_kem_mlkem768_avx2_validate_private_key_only( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::serialize::deserialize_ring_elements_reduced_out::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::validate_public_key::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.call_mut_0b with -types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key.call_mut_00 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics - K= 3 +- PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_ab( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); -} - -/** - This function deserializes ring elements and reduces the result by the field - modulus. - - This function MUST NOT be used on secret inputs. -*/ -/** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - deserialized_pk[i] = - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_ab( - &lvalue, i); - } - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - public_key, deserialized_pk); - memcpy( - ret, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); +libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_ed(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -5717,21 +5957,31 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_ed( uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab( - Eurydice_array_to_subslice_to( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = deserialized_pk; - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( - uu____0, - Eurydice_array_to_subslice_from( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - public_key_serialized); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + deserialized_pk[i] = + libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_ed(&lvalue, i); + } + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( + uu____0, Eurydice_array_to_slice( + (size_t)3U, deserialized_pk, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + uint8_t public_key_serialized[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____1 = deserialized_pk; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( + uu____1, uu____2, + Eurydice_array_to_slice((size_t)1184U, public_key_serialized, uint8_t), + &scratch); return Eurydice_array_eq((size_t)1184U, public_key, public_key_serialized, uint8_t); } @@ -5794,22 +6044,68 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.MlKemPublicKeyUnpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63_s { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 ind_cpa_public_key; +typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0_s { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 ind_cpa_public_key; uint8_t public_key_hash[32U]; -} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63; +} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0; typedef struct libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked_s { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_63 private_key; - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 public_key; + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 public_key; } libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked; +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.decapsulate.call_mut_03 with types +libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_37(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); +} + /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5824,15 +6120,20 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_37( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - uint8_t decrypted[32U]; + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f( - &key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); + &key_pair->private_key.ind_cpa_private_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -5844,9 +6145,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -5863,25 +6165,40 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_hash_functions_avx2_PRF_41_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRF_26_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_74( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_37(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_67( &key_pair->public_key.ind_cpa_public_key, decrypted, pseudorandomness, - expected_ciphertext); + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); - uint8_t ret0[32U]; + uint8_t shared_secret_array[32U] = {0U}; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + selector, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + memcpy(ret, shared_secret_array, (size_t)32U * sizeof(uint8_t)); } /** @@ -5889,6 +6206,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.decapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5903,14 +6221,16 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_35( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_54( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_12(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_37(key_pair, ciphertext, ret); } /** @@ -5921,6 +6241,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5935,14 +6256,16 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_35( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_54( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_35( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_54( key_pair, ciphertext, ret); } @@ -5957,7 +6280,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_decapsulate( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_35( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_54( private_key, ciphertext, ret); } @@ -5968,7 +6291,7 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_be( +static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_3f( Eurydice_slice randomness, Eurydice_slice pk_hash, uint8_t ret[64U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24(randomness, to_hash); @@ -5977,10 +6300,51 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_be( LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, size_t, uint8_t[]), pk_hash, uint8_t); - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + uint8_t output[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, output, uint8_t)); + memcpy(ret, output, (size_t)64U * sizeof(uint8_t)); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::encapsulate::closure[TraitClause@0, TraitClause@1, TraitClause@2, +TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.encapsulate.call_mut_f7 with types +libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- VECTOR_U_BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_12(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -5988,6 +6352,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -6000,13 +6365,15 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_70( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_12( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t *randomness) { uint8_t hashed[64U]; - libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_be( + libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_3f( Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t), @@ -6017,10 +6384,25 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_70( Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____0.fst; Eurydice_slice pseudorandomness = uu____0.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_74(&public_key->ind_cpa_public_key, - randomness, pseudorandomness, - ciphertext); + uint8_t ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_12(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_67( + &public_key->ind_cpa_public_key, randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); uint8_t shared_secret_array[32U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), @@ -6045,6 +6427,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.encapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -6057,13 +6440,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_cd( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_35( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_70(public_key, randomness); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_12(public_key, randomness); } /** @@ -6074,6 +6459,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -6086,13 +6472,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_cd( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_35( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_cd( + return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_35( public_key, randomness); } @@ -6106,9 +6494,9 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_cd( */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_cd( + return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_35( public_key, randomness); } @@ -6116,45 +6504,21 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.call_mut_b4 with types +libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_5a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_ab( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); -} - -/** -This function found in impl {core::ops::function::FnMut<(usize), -@Array[TraitClause@0, -TraitClause@1], K>> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_7b with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_ab( - void **_, size_t tupled_args, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret[i] = libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_ab( - &lvalue, i); - } +libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_ed(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -6170,7 +6534,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_clone_c1_84( +libcrux_ml_kem_polynomial_clone_c1_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; __m256i ret[16U]; @@ -6185,34 +6549,32 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ind_cpa_a[3U][3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U][3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ed( + Eurydice_slice ind_cpa_a, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[9U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_ab(&lvalue, i, - A[i]); + A[i] = + libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_ed(&lvalue, i); } - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 _a_i[3U][3U]; - memcpy(_a_i, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { - size_t j = i1; + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_clone_c1_84(&ind_cpa_a[j][i0]); - A[i0][j] = uu____0; + libcrux_ml_kem_polynomial_clone_c1_06( + libcrux_ml_kem_matrix_entry_ab(ind_cpa_a, j, i1)); + A[i1 * (size_t)3U + j] = uu____0; } } - memcpy(ret, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + memcpy( + ret, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** @@ -6224,14 +6586,16 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_bb( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_13( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( @@ -6241,39 +6605,41 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_bb( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch0 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_5d( ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key, - &out->public_key.ind_cpa_public_key); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U][3U]; - memcpy(uu____0, out->public_key.ind_cpa_public_key.A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab(uu____0, A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____1[3U][3U]; - memcpy(uu____1, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - memcpy(out->public_key.ind_cpa_public_key.A, uu____1, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - uint8_t pk_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( + &out->public_key.ind_cpa_public_key, &scratch0); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[9U]; + libcrux_ml_kem_ind_cca_unpacked_transpose_a_ed( + Eurydice_array_to_slice( + (size_t)9U, out->public_key.ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + A); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[9U]; + memcpy( + uu____0, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + memcpy( + out->public_key.ind_cpa_public_key.A, uu____0, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + uint8_t pk_serialized[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( out->public_key.ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice( (size_t)32U, out->public_key.ind_cpa_public_key.seed_for_A, uint8_t), - pk_serialized); - uint8_t uu____2[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( - Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), uu____2); - memcpy(out->public_key.public_key_hash, uu____2, - (size_t)32U * sizeof(uint8_t)); - uint8_t uu____3[32U]; + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), &scratch); + libcrux_ml_kem_hash_functions_avx2_H_26( + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), + Eurydice_array_to_slice((size_t)32U, out->public_key.public_key_hash, + uint8_t)); + uint8_t uu____1[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value, Eurydice_slice, uint8_t[32U], TryFromSliceError); - unwrap_26_b3(dst, uu____3); - memcpy(out->private_key.implicit_rejection_value, uu____3, + unwrap_26_b3(dst, uu____1); + memcpy(out->private_key.implicit_rejection_value, uu____1, (size_t)32U * sizeof(uint8_t)); } @@ -6282,21 +6648,23 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.generate_keypair_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_06( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_bb(copy_of_randomness, out); + libcrux_ml_kem_ind_cca_unpacked_generate_keypair_13(copy_of_randomness, out); } /** @@ -6307,21 +6675,23 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_06( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_ce( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_06( copy_of_randomness, out); } @@ -6335,52 +6705,54 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair_mut( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_ce( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_06( copy_of_randomness, key_pair); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_30 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_3f with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cca_unpacked_default_30_ab(void) { +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cca_unpacked_default_3f_ed(void) { return ( - KRML_CLITERAL(libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63){ - .ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(), + KRML_CLITERAL(libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0){ + .ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(), .public_key_hash = {0U}}); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_7b +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_7b_ab(void) { + libcrux_ml_kem_ind_cca_unpacked_default_b1_ed(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_63 uu____0 = { .ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_70_ab(), .implicit_rejection_value = {0U}}; return (KRML_CLITERAL( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked){ .private_key = uu____0, - .public_key = libcrux_ml_kem_ind_cca_unpacked_default_30_ab()}); + .public_key = libcrux_ml_kem_ind_cca_unpacked_default_3f_ed()}); } /** @@ -6391,7 +6763,7 @@ static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair( uint8_t randomness[64U]) { libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked key_pair = - libcrux_ml_kem_ind_cca_unpacked_default_7b_ab(); + libcrux_ml_kem_ind_cca_unpacked_default_b1_ed(); uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair_mut(uu____0, @@ -6405,126 +6777,107 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair( KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_7b_ab(); + return libcrux_ml_kem_ind_cca_unpacked_default_b1_ed(); } /** Create a new, empty unpacked public key. */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 libcrux_ml_kem_mlkem768_avx2_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_30_ab(); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_b3( - void **_, int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return libcrux_ml_kem_polynomial_from_i16_array_d6_84( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); + return libcrux_ml_kem_ind_cca_unpacked_default_3f_ed(); } /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_b3( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state = - libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_4a_e0( +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_51( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PortableHash xof_state = + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( seeds); - uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_4a_e0( - &xof_state, randomness0); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( - randomness0, sampled_coefficients, out); + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); while (true) { if (done) { break; } else { - uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_4a_e0( - &xof_state, randomness); + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( - randomness, sampled_coefficients, out); + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); } } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret0[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_b3( - &lvalue, copy_of_out[i]); - } - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_b3( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*A_transpose)[3U], - uint8_t *seed, bool transpose) { +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_51( + Eurydice_slice A_transpose, uint8_t *seed, bool transpose) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_b3(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; + int16_t out[3U][272U] = {{0U}}; + libcrux_ml_kem_sampling_sample_from_xof_51( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____1, &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____2, &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } } @@ -6533,28 +6886,31 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_b3( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_bf( +libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fd( Eurydice_slice public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - uu____0, unpacked_public_key->t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); - libcrux_ml_kem_matrix_sample_matrix_A_b3(uu____1, ret, false); + libcrux_ml_kem_matrix_sample_matrix_A_51(uu____1, ret, false); } /** @@ -6565,6 +6921,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.keys_from_private_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -6572,7 +6929,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_2f( +libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_e2( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -6584,8 +6941,10 @@ libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_2f( Eurydice_slice implicit_rejection_value = uu____0.f3; libcrux_ml_kem_ind_cpa_deserialize_vector_ab( ind_cpa_secret_key, - key_pair->private_key.ind_cpa_private_key.secret_as_ntt); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_bf( + Eurydice_array_to_slice( + (size_t)3U, key_pair->private_key.ind_cpa_private_key.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fd( ind_cpa_public_key, &key_pair->public_key.ind_cpa_public_key); Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, @@ -6612,6 +6971,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.keypair_from_private_key with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -6619,10 +6979,10 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_fd( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_ce( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_2f(private_key, + libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_e2(private_key, key_pair); } @@ -6634,38 +6994,40 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_from_private_mut( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_fd( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_ce( private_key, key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_2f( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_ed( - &self->public_key.ind_cpa_public_key, - &self->private_key.ind_cpa_private_key); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t ind_cpa_public_key[1184U]; - memcpy(ind_cpa_public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t ind_cpa_public_key[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_8c( + &self->public_key.ind_cpa_public_key, + &self->private_key.ind_cpa_private_key, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), + &scratch); + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), Eurydice_array_to_slice( @@ -6675,25 +7037,26 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPrivateKey_d9 -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_8c( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_2f( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { libcrux_ml_kem_types_MlKemPrivateKey_d9 sk = libcrux_ml_kem_types_default_d3_28(); - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c(self, &sk); + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_2f(self, &sk); return sk; } @@ -6704,7 +7067,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_private_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_8c(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_2f(key_pair); } /** @@ -6715,52 +7078,58 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_private_key_mut( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_2f(key_pair, serialized); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_6a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) { - uint8_t ret[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_6a_ed( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *self) { + uint8_t public_key[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - ret); - return libcrux_ml_kem_types_from_fd_d0(ret); + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); + return libcrux_ml_kem_types_from_fd_d0(copy_of_public_key); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed(&self->public_key); + return libcrux_ml_kem_ind_cca_unpacked_serialized_6a_ed(&self->public_key); } /** @@ -6770,51 +7139,55 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_ed(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_ed(key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_6a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self, +libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_ed( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - serialized->value); + Eurydice_array_to_slice((size_t)1184U, serialized->value, uint8_t), + &scratch); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(&self->public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_ed(&self->public_key, serialized); } @@ -6826,25 +7199,26 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key_mut( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_ed(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_ed(key_pair, serialized); } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_91 +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_1c with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cpa_unpacked_clone_91_ab( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *self) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cpa_unpacked_clone_1c_ed( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)3U, self->t_as_ntt, uu____0, @@ -6852,39 +7226,40 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_91_ab( uint8_t uu____1[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->seed_for_A, uu____1, uint8_t, void *); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U][3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[9U]; core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)3U, self->A, ret, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U], void *); - memcpy(lit.A, ret, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + (size_t)9U, self->A, ret, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, void *); + memcpy( + lit.A, ret, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); return lit; } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_d7 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_86 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cca_unpacked_clone_d7_ab( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 lit; +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cca_unpacked_clone_86_ed( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *self) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 lit; lit.ind_cpa_public_key = - libcrux_ml_kem_ind_cpa_unpacked_clone_91_ab(&self->ind_cpa_public_key); + libcrux_ml_kem_ind_cpa_unpacked_clone_1c_ed(&self->ind_cpa_public_key); uint8_t ret[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->public_key_hash, ret, uint8_t, void *); @@ -6894,18 +7269,19 @@ libcrux_ml_kem_ind_cca_unpacked_clone_d7_ab( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_11 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 * -libcrux_ml_kem_ind_cca_unpacked_public_key_11_ab( +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 * +libcrux_ml_kem_ind_cca_unpacked_public_key_b1_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -6916,10 +7292,10 @@ libcrux_ml_kem_ind_cca_unpacked_public_key_11_ab( KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *pk) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_d7_ab( - libcrux_ml_kem_ind_cca_unpacked_public_key_11_ab(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *pk) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 uu____0 = + libcrux_ml_kem_ind_cca_unpacked_clone_86_ed( + libcrux_ml_kem_ind_cca_unpacked_public_key_b1_ed(key_pair)); pk[0U] = uu____0; } @@ -6928,9 +7304,9 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key( */ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_serialized_public_key( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(public_key, serialized); + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_ed(public_key, serialized); } /** @@ -6941,20 +7317,23 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.unpack_public_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb( +libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_array_to_subslice_to((size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->ind_cpa_public_key.t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); uint8_t uu____1[32U]; libcrux_ml_kem_utils_into_padded_array_9e( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, @@ -6963,8 +7342,9 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb( uu____1); memcpy(unpacked_public_key->ind_cpa_public_key.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____2)[3U] = - unpacked_public_key->ind_cpa_public_key.A; + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, @@ -6972,14 +7352,12 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb( uint8_t[]), ret); libcrux_ml_kem_matrix_sample_matrix_A_6c(uu____2, ret, false); - uint8_t uu____3[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( + libcrux_ml_kem_hash_functions_avx2_H_26( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - uu____3); - memcpy(unpacked_public_key->public_key_hash, uu____3, - (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, unpacked_public_key->public_key_hash, + uint8_t)); } /** @@ -6990,16 +7368,17 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.unpack_public_key_avx2 with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_31( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_a5( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb(public_key, + libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d(public_key, unpacked_public_key); } @@ -7011,16 +7390,17 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.unpack_public_key with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_31( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_a5( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_31( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_a5( public_key, unpacked_public_key); } @@ -7030,13 +7410,13 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_31( KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_unpacked_public_key( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_31( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_a5( public_key, unpacked_public_key); } -typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 +typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768PublicKeyUnpacked; #if defined(__cplusplus) diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_portable.h b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_portable.h index 65a88765a..571a4f839 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem768_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem768_portable_H @@ -25,19 +25,153 @@ extern "C" { #include "libcrux_sha3_portable.h" static inline void libcrux_ml_kem_hash_functions_portable_G( - Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha512(output, input); } static inline void libcrux_ml_kem_hash_functions_portable_H( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha256(output, input); +} + +static inline void libcrux_ml_kem_hash_functions_portable_PRFxN( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(input, uint8_t[33U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_slice_subslice3(outputs, i0 * out_len, + (i0 + (size_t)1U) * out_len, uint8_t *), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, i0, uint8_t[33U], uint8_t(*)[33U]), + uint8_t)); + } +} + +typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_s { + libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; +} libcrux_ml_kem_hash_functions_portable_PortableHash; + +static inline libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init(); + } + for (size_t i = (size_t)0U; i < Eurydice_slice_len(input, uint8_t[34U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &shake128_state[i0], + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, i0, uint8_t[34U], uint8_t(*)[34U]), + uint8_t)); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_17 copy_of_shake128_state[4U]; + memcpy(copy_of_shake128_state, shake128_state, + (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); + libcrux_ml_kem_hash_functions_portable_PortableHash lit; + memcpy(lit.shake128_state, copy_of_shake128_state, + (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); + return lit; +} + +static inline void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(outputs, uint8_t[504U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( + &st->shake128_state[i0], + Eurydice_array_to_slice( + (size_t)504U, + Eurydice_slice_index(outputs, i0, uint8_t[504U], uint8_t(*)[504U]), + uint8_t)); + } +} + +static inline void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(outputs, uint8_t[168U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &st->shake128_state[i0], + Eurydice_array_to_slice( + (size_t)168U, + Eurydice_slice_index(outputs, i0, uint8_t[168U], uint8_t(*)[168U]), + uint8_t)); + } +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static inline void libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_G(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static inline void libcrux_ml_kem_hash_functions_portable_H_6e( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_H(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static inline void libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + libcrux_ml_kem_hash_functions_portable_PRFxN(input, outputs, out_len); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + Eurydice_slice input) { + return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + input); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + self, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block(self, + output); } static const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] = @@ -95,15 +229,11 @@ typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_s { } libcrux_ml_kem_vector_portable_vector_type_PortableVector; static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_from_i16_array( - Eurydice_slice array) { +libcrux_ml_kem_vector_portable_vector_type_zero(void) { libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; int16_t ret[16U]; - Result_0a dst; - Eurydice_slice_to_array2( - &dst, Eurydice_slice_subslice3(array, (size_t)0U, (size_t)16U, int16_t *), - Eurydice_slice, int16_t[16U], TryFromSliceError); - unwrap_26_00(dst, ret); + int16_t buf[16U] = {0U}; + libcrux_secrets_int_public_integers_classify_27_46(buf, ret); memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); return lit; } @@ -113,9 +243,29 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_from_i16_array_b8(Eurydice_slice array) { - return libcrux_ml_kem_vector_portable_vector_type_from_i16_array( - libcrux_secrets_int_classify_public_classify_ref_9b_39(array)); +libcrux_ml_kem_vector_portable_ZERO_b8(void) { + return libcrux_ml_kem_vector_portable_vector_type_zero(); +} + +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)16U, out->elements, int16_t), + Eurydice_slice_subslice3(array, (size_t)0U, (size_t)16U, int16_t *), + int16_t); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +static inline void libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + libcrux_secrets_int_classify_public_classify_ref_9b_39(array), out); } typedef struct int16_t_x8_s { @@ -129,122 +279,131 @@ typedef struct int16_t_x8_s { int16_t f7; } int16_t_x8; -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_zero(void) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - int16_t ret[16U]; - int16_t buf[16U] = {0U}; - libcrux_secrets_int_public_integers_classify_27_46(buf, ret); - memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); - return lit; +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + size_t uu____0 = i0; + lhs->elements[uu____0] = lhs->elements[uu____0] + rhs->elements[i0]; + } } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ZERO_b8(void) { - return libcrux_ml_kem_vector_portable_vector_type_zero(); +static inline void libcrux_ml_kem_vector_portable_add_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { + libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_add( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - lhs.elements[uu____0] = lhs.elements[uu____0] + rhs->elements[i0]; + lhs->elements[uu____0] = lhs->elements[uu____0] - rhs->elements[i0]; } - return lhs; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_add_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +static inline void libcrux_ml_kem_vector_portable_sub_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); + libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_sub( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, - libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_negate( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - size_t uu____0 = i0; - lhs.elements[uu____0] = lhs.elements[uu____0] - rhs->elements[i0]; + vec->elements[i0] = -vec->elements[i0]; } - return lhs; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_sub_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, - libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); +static inline void libcrux_ml_kem_vector_portable_negate_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_negate(vec); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] * c; + vec->elements[uu____0] = vec->elements[uu____0] * c; } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); +static inline void libcrux_ml_kem_vector_portable_multiply_by_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); +} + +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + size_t uu____0 = i0; + vec->elements[uu____0] = vec->elements[uu____0] & c; + } +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +static inline void libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(vec, c); } /** Note: This function is not secret independent Only use with public values. */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; if (libcrux_secrets_int_public_integers_declassify_d8_39( - vec.elements[i0]) >= (int16_t)3329) { + vec->elements[i0]) >= (int16_t)3329) { size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329; + vec->elements[uu____0] = vec->elements[uu____0] - (int16_t)3329; } } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { - return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v); +static inline void libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(vec); } #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \ @@ -281,28 +440,26 @@ libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t vi = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - vec.elements[i0]); - vec.elements[i0] = vi; + vec->elements[i0]); + vec->elements[i0] = vi; } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector) { - return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(vector); +static inline void libcrux_ml_kem_vector_portable_barrett_reduce_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(vec); } #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U) @@ -365,41 +522,37 @@ libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( product); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = + vec->elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec.elements[i0], c); + vec->elements[i0], c); } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +static inline void libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector, - int16_t constant) { - return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - vector, libcrux_secrets_int_public_integers_classify_27_39(constant)); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t r) { + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( + vec, libcrux_secrets_int_public_integers_classify_27_39(r)); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { - size_t i0 = i; - size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] & c; - } - return vec; +/** +This function found in impl {core::clone::Clone for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_clone_9c( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) { + return self[0U]; } /** @@ -407,26 +560,27 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.arithmetic.shift_right with const generics - SHIFT_BY= 15 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15; + size_t uu____0 = i0; + vec->elements[uu____0] = vec->elements[uu____0] >> (uint32_t)(int32_t)15; } - return vec; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_to_unsigned_representative( libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef(a); - libcrux_ml_kem_vector_portable_vector_type_PortableVector fm = - libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_portable_arithmetic_add(a, &fm); + libcrux_ml_kem_vector_portable_vector_type_clone_9c(&a); + libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef(&t); + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + &t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); + libcrux_ml_kem_vector_portable_arithmetic_add(&a, &t); + return a; } /** @@ -476,27 +630,24 @@ libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( return libcrux_secrets_int_as_u8_f5(r1); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - a.elements[i0] = libcrux_secrets_int_as_i16_59( + a->elements[i0] = libcrux_secrets_int_as_i16_59( libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); } - return a; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_1(a); +static inline void libcrux_ml_kem_vector_portable_compress_1_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_1(a); } static KRML_MUSTINLINE uint32_t @@ -518,29 +669,6 @@ libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( coefficient_bits, libcrux_secrets_int_as_u32_a3(compressed))); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_decompress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector z = - libcrux_ml_kem_vector_portable_vector_type_zero(); - libcrux_ml_kem_vector_portable_vector_type_PortableVector s = - libcrux_ml_kem_vector_portable_arithmetic_sub(z, &a); - libcrux_ml_kem_vector_portable_vector_type_PortableVector res = - libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - s, (int16_t)1665); - return res; -} - -/** -This function found in impl {libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::portable::vector_type::PortableVector} -*/ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_decompress_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_decompress_1(a); -} - static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta, size_t i, size_t j) { @@ -554,106 +682,98 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( vec->elements[i] = a_plus_t; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta3, (size_t)13U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, zeta2, + zeta3); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)11U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); + libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)7U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); +static inline void libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( @@ -670,107 +790,101 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( vec->elements[j] = o1; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta3, (size_t)13U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - a, zeta0, zeta1, zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(a, zeta0, zeta1, + zeta2, zeta3); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)11U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, - zeta1); + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, zeta1); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)7U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); +static inline void libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } /** @@ -829,89 +943,84 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( out->elements[(size_t)2U * i + (size_t)1U] = o1; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_multiply( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { int16_t nzeta0 = -zeta0; int16_t nzeta1 = -zeta1; int16_t nzeta2 = -zeta2; int16_t nzeta3 = -zeta3; - libcrux_ml_kem_vector_portable_vector_type_PortableVector out = - libcrux_ml_kem_vector_portable_vector_type_zero(); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta0), - (size_t)0U, &out); + (size_t)0U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta0), - (size_t)1U, &out); + (size_t)1U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta1), - (size_t)2U, &out); + (size_t)2U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta1), - (size_t)3U, &out); + (size_t)3U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta2), - (size_t)4U, &out); + (size_t)4U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta2), - (size_t)5U, &out); + (size_t)5U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta3), - (size_t)6U, &out); + (size_t)6U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta3), - (size_t)7U, &out); - return out; + (size_t)7U, out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_multiply_b8( +static inline void libcrux_ml_kem_vector_portable_ntt_multiply_b8( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, out, zeta0, zeta1, + zeta2, zeta3); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[2U]) { - uint8_t result0 = - (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[0U]) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[1U]) << 1U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[2U]) << 2U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[3U]) << 3U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[4U]) << 4U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[5U]) << 5U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[6U]) << 6U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[7U]) << 7U; - uint8_t result1 = - (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[8U]) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[9U]) << 1U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[10U]) << 2U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[11U]) << 3U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[12U]) << 4U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[13U]) << 5U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[14U]) << 6U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[15U]) << 7U; - ret[0U] = result0; - ret[1U] = result1; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = + libcrux_secrets_int_public_integers_declassify_d8_90( + (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[0U]) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[1U]) << 1U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[2U]) << 2U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[3U]) << 3U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[4U]) << 4U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[5U]) << 5U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[6U]) << 6U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[7U]) << 7U); + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = + libcrux_secrets_int_public_integers_declassify_d8_90( + (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[8U]) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[9U]) << 1U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[10U]) << 2U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[11U]) << 3U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[12U]) << 4U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[13U]) << 5U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[14U]) << 6U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[15U]) << 7U); } static inline void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - uint8_t ret0[2U]; - libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_d4(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_1(a, out); } /** @@ -919,79 +1028,78 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_1(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_1(a, out); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { - int16_t result0 = libcrux_secrets_int_as_i16_59( +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_1( + Eurydice_slice v, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + out->elements[0U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) & 1U); - int16_t result1 = libcrux_secrets_int_as_i16_59( + out->elements[1U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 1U & 1U); - int16_t result2 = libcrux_secrets_int_as_i16_59( + out->elements[2U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 2U & 1U); - int16_t result3 = libcrux_secrets_int_as_i16_59( + out->elements[3U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 3U & 1U); - int16_t result4 = libcrux_secrets_int_as_i16_59( + out->elements[4U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 4U & 1U); - int16_t result5 = libcrux_secrets_int_as_i16_59( + out->elements[5U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 5U & 1U); - int16_t result6 = libcrux_secrets_int_as_i16_59( + out->elements[6U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 6U & 1U); - int16_t result7 = libcrux_secrets_int_as_i16_59( + out->elements[7U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 7U & 1U); - int16_t result8 = libcrux_secrets_int_as_i16_59( + out->elements[8U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) & 1U); - int16_t result9 = libcrux_secrets_int_as_i16_59( + out->elements[9U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 1U & 1U); - int16_t result10 = libcrux_secrets_int_as_i16_59( + out->elements[10U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 2U & 1U); - int16_t result11 = libcrux_secrets_int_as_i16_59( + out->elements[11U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 3U & 1U); - int16_t result12 = libcrux_secrets_int_as_i16_59( + out->elements[12U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 4U & 1U); - int16_t result13 = libcrux_secrets_int_as_i16_59( + out->elements[13U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 5U & 1U); - int16_t result14 = libcrux_secrets_int_as_i16_59( + out->elements[14U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 6U & 1U); - int16_t result15 = libcrux_secrets_int_as_i16_59( + out->elements[15U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 7U & 1U); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {result0, result1, result2, result3, result4, result5, - result6, result7, result8, result9, result10, result11, - result12, result13, result14, result15}}); } -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_1( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +static inline void libcrux_ml_kem_vector_portable_deserialize_1( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_1( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_1(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_1(a, out); } typedef struct uint8_t_x4_s { @@ -1024,37 +1132,42 @@ libcrux_ml_kem_vector_portable_serialize_serialize_4_int(Eurydice_slice v) { (uint32_t)libcrux_secrets_int_as_u8_f5(Eurydice_slice_index( v, (size_t)6U, int16_t, int16_t *)); return (KRML_CLITERAL(uint8_t_x4){ - .fst = result0, .snd = result1, .thd = result2, .f3 = result3}); + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(result0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(result1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(result2), + .f3 = libcrux_secrets_int_public_integers_declassify_d8_90(result3)}); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[8U]) { - uint8_t_x4 result0_3 = - libcrux_ml_kem_vector_portable_serialize_serialize_4_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)8U, - int16_t *)); - uint8_t_x4 result4_7 = - libcrux_ml_kem_vector_portable_serialize_serialize_4_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)16U, - int16_t *)); - ret[0U] = result0_3.fst; - ret[1U] = result0_3.snd; - ret[2U] = result0_3.thd; - ret[3U] = result0_3.f3; - ret[4U] = result4_7.fst; - ret[5U] = result4_7.snd; - ret[6U] = result4_7.thd; - ret[7U] = result4_7.f3; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x4 uu____0 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)8U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + uint8_t_x4 uu____4 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)16U, + int16_t *)); + uint8_t uu____5 = uu____4.snd; + uint8_t uu____6 = uu____4.thd; + uint8_t uu____7 = uu____4.f3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4.fst; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; } static inline void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - uint8_t ret0[8U]; - libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_76(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_4(a, out); } /** @@ -1062,9 +1175,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_4_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_4(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_4(a, out); } static KRML_MUSTINLINE int16_t_x8 @@ -1108,32 +1221,63 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( .f7 = v7}); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)4U, uint8_t *)); - int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)8U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, - v0_7.f6, v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, - v8_15.f3, v8_15.f4, v8_15.f5, v8_15.f6, v8_15.f7}}); -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_4( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_4( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)4U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( + Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)8U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +static inline void libcrux_ml_kem_vector_portable_deserialize_4( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_4( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_4(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_4_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_4(a, out); } typedef struct uint8_t_x5_s { @@ -1173,53 +1317,75 @@ libcrux_ml_kem_vector_portable_serialize_serialize_10_int(Eurydice_slice v) { Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 2U & (int16_t)255); return (KRML_CLITERAL(uint8_t_x5){ - .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(r0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(r1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(r2), + .f3 = libcrux_secrets_int_public_integers_declassify_d8_90(r3), + .f4 = libcrux_secrets_int_public_integers_declassify_d8_90(r4)}); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[20U]) { - uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)4U, - int16_t *)); - uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)4U, (size_t)8U, - int16_t *)); - uint8_t_x5 r10_14 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)12U, - int16_t *)); - uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)12U, (size_t)16U, - int16_t *)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; - ret[10U] = r10_14.fst; - ret[11U] = r10_14.snd; - ret[12U] = r10_14.thd; - ret[13U] = r10_14.f3; - ret[14U] = r10_14.f4; - ret[15U] = r15_19.fst; - ret[16U] = r15_19.snd; - ret[17U] = r15_19.thd; - ret[18U] = r15_19.f3; - ret[19U] = r15_19.f4; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x5 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)4U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + uint8_t uu____4 = uu____0.f4; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + uint8_t_x5 uu____5 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)4U, (size_t)8U, + int16_t *)); + uint8_t uu____6 = uu____5.snd; + uint8_t uu____7 = uu____5.thd; + uint8_t uu____8 = uu____5.f3; + uint8_t uu____9 = uu____5.f4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5.fst; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9; + uint8_t_x5 uu____10 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)12U, + int16_t *)); + uint8_t uu____11 = uu____10.snd; + uint8_t uu____12 = uu____10.thd; + uint8_t uu____13 = uu____10.f3; + uint8_t uu____14 = uu____10.f4; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10.fst; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + uint8_t_x5 uu____15 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)12U, (size_t)16U, + int16_t *)); + uint8_t uu____16 = uu____15.snd; + uint8_t uu____17 = uu____15.thd; + uint8_t uu____18 = uu____15.f3; + uint8_t uu____19 = uu____15.f4; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15.fst; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; } static inline void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - uint8_t ret0[20U]; - libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_57(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_10(a, out); } /** @@ -1227,9 +1393,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_10_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_10(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_10(a, out); } static KRML_MUSTINLINE int16_t_x8 @@ -1307,33 +1473,63 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( .f7 = r7}); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)10U, uint8_t *)); - int16_t_x8 v8_15 = +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_10( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)10U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice_subslice3(bytes, (size_t)10U, (size_t)20U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, - v0_7.f6, v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, - v8_15.f3, v8_15.f4, v8_15.f5, v8_15.f6, v8_15.f7}}); -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_10( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +static inline void libcrux_ml_kem_vector_portable_deserialize_10( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_10( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_10(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_10_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_10(a, out); } typedef struct uint8_t_x3_s { @@ -1353,79 +1549,104 @@ libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) { uint8_t r2 = libcrux_secrets_int_as_u8_f5( Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U & (int16_t)255); - return (KRML_CLITERAL(uint8_t_x3){.fst = r0, .snd = r1, .thd = r2}); + return (KRML_CLITERAL(uint8_t_x3){ + .fst = libcrux_secrets_int_public_integers_declassify_d8_90(r0), + .snd = libcrux_secrets_int_public_integers_declassify_d8_90(r1), + .thd = libcrux_secrets_int_public_integers_declassify_d8_90(r2)}); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[24U]) { - uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)2U, - int16_t *)); - uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)2U, (size_t)4U, - int16_t *)); - uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)4U, (size_t)6U, - int16_t *)); - uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)6U, (size_t)8U, - int16_t *)); - uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)10U, - int16_t *)); - uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)10U, (size_t)12U, - int16_t *)); - uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)12U, (size_t)14U, - int16_t *)); - uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)14U, (size_t)16U, - int16_t *)); - ret[0U] = r0_2.fst; - ret[1U] = r0_2.snd; - ret[2U] = r0_2.thd; - ret[3U] = r3_5.fst; - ret[4U] = r3_5.snd; - ret[5U] = r3_5.thd; - ret[6U] = r6_8.fst; - ret[7U] = r6_8.snd; - ret[8U] = r6_8.thd; - ret[9U] = r9_11.fst; - ret[10U] = r9_11.snd; - ret[11U] = r9_11.thd; - ret[12U] = r12_14.fst; - ret[13U] = r12_14.snd; - ret[14U] = r12_14.thd; - ret[15U] = r15_17.fst; - ret[16U] = r15_17.snd; - ret[17U] = r15_17.thd; - ret[18U] = r18_20.fst; - ret[19U] = r18_20.snd; - ret[20U] = r18_20.thd; - ret[21U] = r21_23.fst; - ret[22U] = r21_23.snd; - ret[23U] = r21_23.thd; -} - -static inline void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - uint8_t ret0[24U]; - libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_d2(ret0, ret); -} - -/** -This function found in impl {libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::portable::vector_type::PortableVector} + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x3 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)2U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + uint8_t_x3 uu____3 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)2U, (size_t)4U, + int16_t *)); + uint8_t uu____4 = uu____3.snd; + uint8_t uu____5 = uu____3.thd; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3.fst; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + uint8_t_x3 uu____6 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)4U, (size_t)6U, + int16_t *)); + uint8_t uu____7 = uu____6.snd; + uint8_t uu____8 = uu____6.thd; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6.fst; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + uint8_t_x3 uu____9 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)6U, (size_t)8U, + int16_t *)); + uint8_t uu____10 = uu____9.snd; + uint8_t uu____11 = uu____9.thd; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9.fst; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11; + uint8_t_x3 uu____12 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)10U, + int16_t *)); + uint8_t uu____13 = uu____12.snd; + uint8_t uu____14 = uu____12.thd; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12.fst; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + uint8_t_x3 uu____15 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)10U, (size_t)12U, + int16_t *)); + uint8_t uu____16 = uu____15.snd; + uint8_t uu____17 = uu____15.thd; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15.fst; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + uint8_t_x3 uu____18 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)12U, (size_t)14U, + int16_t *)); + uint8_t uu____19 = uu____18.snd; + uint8_t uu____20 = uu____18.thd; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18.fst; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; + Eurydice_slice_index(out, (size_t)20U, uint8_t, uint8_t *) = uu____20; + uint8_t_x3 uu____21 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)14U, (size_t)16U, + int16_t *)); + uint8_t uu____22 = uu____21.snd; + uint8_t uu____23 = uu____21.thd; + Eurydice_slice_index(out, (size_t)21U, uint8_t, uint8_t *) = uu____21.fst; + Eurydice_slice_index(out, (size_t)22U, uint8_t, uint8_t *) = uu____22; + Eurydice_slice_index(out, (size_t)23U, uint8_t, uint8_t *) = uu____23; +} + +static inline void libcrux_ml_kem_vector_portable_serialize_12( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_12(a, out); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_12_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_12(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_12(a, out); } typedef struct int16_t_x2_s { @@ -1447,48 +1668,75 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( return (KRML_CLITERAL(int16_t_x2){.fst = r0, .snd = r1}); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { - int16_t_x2 v0_1 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)3U, uint8_t *)); - int16_t_x2 v2_3 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)3U, (size_t)6U, uint8_t *)); - int16_t_x2 v4_5 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)6U, (size_t)9U, uint8_t *)); - int16_t_x2 v6_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)9U, (size_t)12U, uint8_t *)); - int16_t_x2 v8_9 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)12U, (size_t)15U, uint8_t *)); - int16_t_x2 v10_11 = +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_12( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x2 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)3U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + int16_t_x2 uu____2 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)3U, (size_t)6U, uint8_t *)); + int16_t uu____3 = uu____2.snd; + out->elements[2U] = uu____2.fst; + out->elements[3U] = uu____3; + int16_t_x2 uu____4 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)6U, (size_t)9U, uint8_t *)); + int16_t uu____5 = uu____4.snd; + out->elements[4U] = uu____4.fst; + out->elements[5U] = uu____5; + int16_t_x2 uu____6 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)9U, (size_t)12U, uint8_t *)); + int16_t uu____7 = uu____6.snd; + out->elements[6U] = uu____6.fst; + out->elements[7U] = uu____7; + int16_t_x2 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)12U, (size_t)15U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + int16_t_x2 uu____10 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)15U, (size_t)18U, uint8_t *)); - int16_t_x2 v12_13 = + int16_t uu____11 = uu____10.snd; + out->elements[10U] = uu____10.fst; + out->elements[11U] = uu____11; + int16_t_x2 uu____12 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)18U, (size_t)21U, uint8_t *)); - int16_t_x2 v14_15 = + int16_t uu____13 = uu____12.snd; + out->elements[12U] = uu____12.fst; + out->elements[13U] = uu____13; + int16_t_x2 uu____14 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)21U, (size_t)24U, uint8_t *)); - return ( - KRML_CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector){ - .elements = {v0_1.fst, v0_1.snd, v2_3.fst, v2_3.snd, v4_5.fst, - v4_5.snd, v6_7.fst, v6_7.snd, v8_9.fst, v8_9.snd, - v10_11.fst, v10_11.snd, v12_13.fst, v12_13.snd, - v14_15.fst, v14_15.snd}}); + int16_t uu____15 = uu____14.snd; + out->elements[14U] = uu____14.fst; + out->elements[15U] = uu____15; } -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_12( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +static inline void libcrux_ml_kem_vector_portable_deserialize_12( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_12( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_12(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_12_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_12(a, out); } static KRML_MUSTINLINE size_t @@ -1498,8 +1746,8 @@ libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a, for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U; i++) { size_t i0 = i; - int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U, - uint8_t, uint8_t *); + int16_t b1 = + (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U, uint8_t, uint8_t *); int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U, uint8_t, uint8_t *); int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U, @@ -1584,10 +1832,19 @@ typedef libcrux_ml_kem_types_MlKemPrivateKey_d9 typedef libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_MlKem768PublicKey; +#define LIBCRUX_ML_KEM_MLKEM768_PRF_OUTPUT_SIZE1 \ + (LIBCRUX_ML_KEM_MLKEM768_ETA1_RANDOMNESS_SIZE * LIBCRUX_ML_KEM_MLKEM768_RANK) + +#define LIBCRUX_ML_KEM_MLKEM768_PRF_OUTPUT_SIZE2 \ + (LIBCRUX_ML_KEM_MLKEM768_ETA2_RANDOMNESS_SIZE * LIBCRUX_ML_KEM_MLKEM768_RANK) + #define LIBCRUX_ML_KEM_MLKEM768_RANKED_BYTES_PER_RING_ELEMENT \ (LIBCRUX_ML_KEM_MLKEM768_RANK * \ LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U) +#define LIBCRUX_ML_KEM_MLKEM768_RANK_SQUARED \ + (LIBCRUX_ML_KEM_MLKEM768_RANK * LIBCRUX_ML_KEM_MLKEM768_RANK) + #define LIBCRUX_ML_KEM_MLKEM768_SECRET_KEY_SIZE \ (LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_SECRET_KEY_SIZE + \ LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_PUBLIC_KEY_SIZE + \ @@ -1603,16 +1860,6 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_1d_s { libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients[16U]; } libcrux_ml_kem_polynomial_PolynomialRingElement_1d; -/** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- $3size_t -*/ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0; - /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1625,7 +1872,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ZERO_d6_ea(void) { +libcrux_ml_kem_polynomial_ZERO_d6_df(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector repeat_expression[16U]; @@ -1638,6 +1885,16 @@ libcrux_ml_kem_polynomial_ZERO_d6_ea(void) { return lit; } +/** +A monomorphic instance of +libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- $3size_t +*/ +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0_s { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0; + /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1657,7 +1914,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_42(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -1666,22 +1923,19 @@ libcrux_ml_kem.serialize.deserialize_to_uncompressed_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes, + &re->coefficients[i0]); } - return re; } /** @@ -1694,41 +1948,42 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_vector_1b( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt) { + Eurydice_slice secret_key, Eurydice_slice secret_as_ntt) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_ea( - Eurydice_slice_subslice3( - secret_key, - i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *)); - secret_as_ntt[i0] = uu____0; + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_df( + Eurydice_slice_subslice3( + secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *), + &Eurydice_slice_index( + secret_as_ntt, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for -libcrux_ml_kem::ind_cpa::deserialize_then_decompress_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@1]> for libcrux_ml_kem::ind_cpa::decrypt_unpacked::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.call_mut_35 with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked.call_mut_68 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 +- VECTOR_U_ENCODED_SIZE= 960 - U_COMPRESSION_FACTOR= 10 +- V_COMPRESSION_FACTOR= 4 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_6c( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); +libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_42(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -1737,22 +1992,21 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10); decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -1765,10 +2019,10 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 10 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +static inline void libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( a); } @@ -1778,25 +2032,21 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_10 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_then_decompress_10_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_10_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_10_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_ef( - coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_10_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_ef( + &re->coefficients[i0]); } - return re; } /** @@ -1805,16 +2055,25 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_ea(serialized); + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_10_df(serialized, + output); } -typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2_s { - libcrux_ml_kem_vector_portable_vector_type_PortableVector fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector snd; -} libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2; +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.montgomery_multiply_fe +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_traits_montgomery_multiply_fe_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t fer) { + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8(v, fer); +} /** A monomorphic instance of libcrux_ml_kem.ntt.ntt_layer_int_vec_step @@ -1822,20 +2081,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - libcrux_ml_kem_vector_portable_vector_type_PortableVector b, - int16_t zeta_r) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8(b, - zeta_r); - b = libcrux_ml_kem_vector_portable_sub_b8(a, &t); - a = libcrux_ml_kem_vector_portable_add_b8(a, &t); - return (KRML_CLITERAL( - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){.fst = a, - .snd = b}); +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_layer_int_vec_step_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *coefficients, + size_t a, size_t b, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + int16_t zeta_r) { + scratch[0U] = coefficients[b]; + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_df(scratch, zeta_r); + coefficients[b] = coefficients[a]; + libcrux_ml_kem_vector_portable_add_b8(&coefficients[a], scratch); + libcrux_ml_kem_vector_portable_sub_b8(&coefficients[b], scratch); } /** @@ -1844,26 +2099,23 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, - size_t layer, size_t _initial_coefficient_bound) { + size_t layer, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = step / (size_t)16U; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = offset / (size_t)16U; - size_t step_vec = step / (size_t)16U; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_ea( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_ntt_ntt_layer_int_vec_step_df( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -1874,17 +2126,14 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - re->coefficients[round], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - re->coefficients[round] = uu____0; + libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -1894,16 +2143,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U)); + libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U)); zeta_i[0U] = zeta_i[0U] + (size_t)1U; } } @@ -1914,18 +2162,17 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U)); + libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U)); zeta_i[0U] = zeta_i[0U] + (size_t)3U; } } @@ -1936,15 +2183,12 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_barrett_reduce_b8( - myself->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[i0]); } } @@ -1959,9 +2203,9 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { - libcrux_ml_kem_polynomial_poly_barrett_reduce_ea(self); + libcrux_ml_kem_polynomial_poly_barrett_reduce_df(self); } /** @@ -1971,20 +2215,21 @@ with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_0a( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t zeta_i = (size_t)0U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)7U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)7U, scratch, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch, (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch, (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch, (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_ea(&zeta_i, re, (size_t)5U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_ea(&zeta_i, re, (size_t)6U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_ea(&zeta_i, re, (size_t)7U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea(re); + libcrux_ml_kem_ntt_ntt_at_layer_3_df(&zeta_i, re, (size_t)5U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_df(&zeta_i, re, (size_t)6U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_df(&zeta_i, re, (size_t)7U * (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df(re); } /** @@ -2001,16 +2246,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - u_as_ntt[i] = - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_6c( - &lvalue, i); - } + uint8_t *ciphertext, Eurydice_slice u_as_ntt, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -2028,14 +2265,17 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, uint8_t *); - u_as_ntt[i0] = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a( - u_bytes); - libcrux_ml_kem_ntt_ntt_vector_u_0a(&u_as_ntt[i0]); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a( + u_bytes, + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + libcrux_ml_kem_ntt_ntt_vector_u_0a( + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } - memcpy( - ret, u_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -2044,22 +2284,21 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4); decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -2072,10 +2311,10 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 4 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +static inline void libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( a); } @@ -2085,24 +2324,20 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_then_decompress_4_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_4_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_4_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_d1( - coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_4_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_d1( + &re->coefficients[i0]); } - return re; } /** @@ -2112,30 +2347,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 - COMPRESSION_FACTOR= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_ea(serialized); -} - -/** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics - -*/ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ZERO_ea(void) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - repeat_expression[16U]; - for (size_t i = (size_t)0U; i < (size_t)16U; i++) { - repeat_expression[i] = libcrux_ml_kem_vector_portable_ZERO_b8(); - } - memcpy(lit.coefficients, repeat_expression, - (size_t)16U * - sizeof(libcrux_ml_kem_vector_portable_vector_type_PortableVector)); - return lit; + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_4_df(serialized, output); } /** @@ -2171,28 +2387,24 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ntt_multiply_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = - libcrux_ml_kem_polynomial_ZERO_ea(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_ntt_multiply_b8( - &myself->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0), - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)1U), - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)2U), - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)3U)); - out.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_ntt_multiply_b8( + &myself->coefficients[i0], &rhs->coefficients[i0], + &out->coefficients[i0], + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0), + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + + (size_t)1U), + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + + (size_t)2U), + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + + (size_t)3U)); } - return out; } /** @@ -2206,11 +2418,11 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ntt_multiply_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - return libcrux_ml_kem_polynomial_ntt_multiply_ea(self, rhs); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { + libcrux_ml_kem_polynomial_ntt_multiply_df(self, rhs, out); } /** @@ -2234,10 +2446,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_1b( libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &rhs->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[i0], + &rhs->coefficients[i0]); } } @@ -2264,17 +2474,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -2285,15 +2494,14 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -2304,16 +2512,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - re->coefficients[round], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - re->coefficients[round] = uu____0; + libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -2323,21 +2528,21 @@ libcrux_ml_kem.invert_ntt.inv_ntt_layer_int_vec_step_reduce with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - libcrux_ml_kem_vector_portable_vector_type_PortableVector b, - int16_t zeta_r) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b = - libcrux_ml_kem_vector_portable_sub_b8(b, &a); - a = libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_add_b8(a, &b)); - b = libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - a_minus_b, zeta_r); - return (KRML_CLITERAL( - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){.fst = a, - .snd = b}); +static KRML_MUSTINLINE void +libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *coefficients, + size_t a, size_t b, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch, + int16_t zeta_r) { + scratch->coefficients[0U] = coefficients[a]; + scratch->coefficients[1U] = coefficients[b]; + libcrux_ml_kem_vector_portable_add_b8(&coefficients[a], + &scratch->coefficients[1U]); + libcrux_ml_kem_vector_portable_sub_b8(&coefficients[b], + scratch->coefficients); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&coefficients[a]); + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_df(&coefficients[b], + zeta_r); } /** @@ -2347,28 +2552,22 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, - size_t layer) { + size_t layer, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = + step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = - offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - size_t step_vec = - step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_ea( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_df( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -2380,21 +2579,22 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_ea(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_ea(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_ea(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)4U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)5U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)6U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea(re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_df(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_df(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_df(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)4U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)5U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)6U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)7U, scratch); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df(re); } /** @@ -2403,25 +2603,19 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_subtract_reduce_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - b.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector diff = - libcrux_ml_kem_vector_portable_sub_b8(myself->coefficients[i0], - &coefficient_normal_form); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(diff); - b.coefficients[i0] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &b->coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_portable_sub_b8(&b->coefficients[i0], + &myself->coefficients[i0]); + libcrux_ml_kem_vector_portable_negate_b8(&b->coefficients[i0]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&b->coefficients[i0]); } - return b; } /** @@ -2435,17 +2629,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_subtract_reduce_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { - return libcrux_ml_kem_polynomial_subtract_reduce_ea(self, b); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *b) { + libcrux_ml_kem_polynomial_subtract_reduce_df(self, b); } /** - The following functions compute various expressions involving - vectors and matrices. The computation of these expressions has been - abstracted away into these functions in order to save on loop iterations. Compute v − InverseNTT(sᵀ ◦ NTT(u)) */ /** @@ -2454,22 +2644,20 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_matrix_compute_message_1b( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_message_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(&secret_as_ntt[i0], - &u_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df(&secret_as_ntt[i0], + &u_as_ntt[i0], scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result); - return libcrux_ml_kem_polynomial_subtract_reduce_d6_ea(v, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(result, scratch); + libcrux_ml_kem_polynomial_subtract_reduce_d6_df(v, result); } /** @@ -2478,10 +2666,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_to_unsigned_representative_b8(a); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_to_unsigned_field_modulus_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable_to_unsigned_representative_b8(a[0U]); + out[0U] = uu____0; } /** @@ -2491,26 +2682,20 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, uint8_t ret[32U]) { - uint8_t serialized[32U] = {0U}; +libcrux_ml_kem_serialize_compress_then_serialize_message_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re.coefficients[i0]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_compressed = - libcrux_ml_kem_vector_portable_compress_1_b8(coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector_portable_serialize_1_b8(coefficient_compressed, - bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, uint8_t *), - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_compress_1_b8(scratch); + libcrux_ml_kem_vector_portable_serialize_1_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *)); } - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } /** @@ -2549,20 +2734,33 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_42( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *secret_key, - uint8_t *ciphertext, uint8_t ret[32U]) { + uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c(ciphertext, u_as_ntt); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u_as_ntt[i] = + libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_42(&lvalue, i); + } + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( + ciphertext, + Eurydice_array_to_slice( + (size_t)3U, u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89( - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - uint8_t[])); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89( + Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, + uint8_t, size_t, uint8_t[]), + &v); libcrux_ml_kem_polynomial_PolynomialRingElement_1d message = - libcrux_ml_kem_matrix_compute_message_1b(&v, secret_key->secret_as_ntt, - u_as_ntt); - uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_ea(message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_matrix_compute_message_1b(&v, secret_key->secret_as_ntt, + u_as_ntt, &message, scratch); + libcrux_ml_kem_serialize_compress_then_serialize_message_df( + &message, decrypted, scratch->coefficients); } /** @@ -2576,66 +2774,91 @@ with const generics - V_COMPRESSION_FACTOR= 4 */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_42( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { + Eurydice_slice secret_key, uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 secret_key_unpacked; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_42(&lvalue, i); + ret[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_42(&lvalue, i); } memcpy( - secret_key_unpacked.secret_as_ntt, ret0, + secret_key_unpacked.secret_as_ntt, ret, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); libcrux_ml_kem_ind_cpa_deserialize_vector_1b( - secret_key, secret_key_unpacked.secret_as_ntt); - uint8_t ret1[32U]; + secret_key, Eurydice_array_to_slice( + (size_t)3U, secret_key_unpacked.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); libcrux_ml_kem_ind_cpa_decrypt_unpacked_42(&secret_key_unpacked, ciphertext, - ret1); - memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); + decrypted, scratch); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.G_4a +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF with const generics -- K= 3 +- LEN= 32 */ -static inline void libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_slice input, uint8_t ret[64U]) { - libcrux_ml_kem_hash_functions_portable_G(input, ret); +static inline void libcrux_ml_kem_hash_functions_portable_PRF_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +/** +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_6e with const generics - LEN= 32 */ -static inline void libcrux_ml_kem_hash_functions_portable_PRF_9e( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); +static inline void libcrux_ml_kem_hash_functions_portable_PRF_6e_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PRF_9e(input, out); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate.call_mut_5f +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics - K= 3 -- LEN= 32 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static inline void libcrux_ml_kem_hash_functions_portable_PRF_4a_41( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_portable_PRF_9e(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_d7(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -2643,49 +2866,45 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.IndCpaPublicKeyUnpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0_s { +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be_s { libcrux_ml_kem_polynomial_PolynomialRingElement_1d t_as_ntt[3U]; uint8_t seed_for_A[32U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be; /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_8b +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_50 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(void) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be +libcrux_ml_kem_ind_cpa_unpacked_default_50_89(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_ea(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_df(); } uint8_t uu____1[32U] = {0U}; - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression0[3U][3U]; - for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_ea(); - } - memcpy(repeat_expression0[i0], repeat_expression, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_df(); } - memcpy(lit.A, repeat_expression0, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + memcpy( + lit.A, repeat_expression, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); return lit; } @@ -2701,28 +2920,27 @@ libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_cond_subtract_3329_b8(coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_cond_subtract_3329_b8(&re->coefficients[i0]); } - return re; } /** - See [deserialize_ring_elements_reduced_out]. + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. */ /** A monomorphic instance of @@ -2732,8 +2950,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + Eurydice_slice public_key, Eurydice_slice deserialized_pk) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2744,100 +2961,13 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t *); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ea( - ring_element); - deserialized_pk[i0] = uu____0; - } -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PortableHash -with const generics -- $3size_t -*/ -typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_88_s { - libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U]; -} libcrux_ml_kem_hash_functions_portable_PortableHash_88; - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics -- K= 3 -*/ -static inline libcrux_ml_kem_hash_functions_portable_PortableHash_88 -libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0( - uint8_t (*input)[34U]) { - libcrux_ml_kem_hash_functions_portable_PortableHash_88 shake128_state; - libcrux_sha3_generic_keccak_KeccakState_17 repeat_expression[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_sha3_portable_incremental_shake128_init(); - } - memcpy(shake128_state.shake128_state, repeat_expression, - (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state.shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t)); - } - return shake128_state; -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_4a with const -generics -- K= 3 -*/ -static inline libcrux_ml_kem_hash_functions_portable_PortableHash_88 -libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_4a_e0( - uint8_t (*input)[34U]) { - return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0( - input); -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st, - uint8_t ret[3U][504U]) { - uint8_t out[3U][504U] = {{0U}}; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t)); + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_df( + ring_element, + &Eurydice_slice_index( + deserialized_pk, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_4a -with const generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_4a_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self, - uint8_t ret[3U][504U]) { - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0( - self, ret); } /** @@ -2890,32 +3020,41 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( - uint8_t (*randomness)[504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[504U], uint8_t(*)[504U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -2924,44 +3063,6 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( return done; } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const -generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st, - uint8_t ret[3U][168U]) { - uint8_t out[3U][168U] = {{0U}}; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t)); - } - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_4a with const -generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_4a_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self, - uint8_t ret[3U][168U]) { - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0(self, - ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -3012,32 +3113,41 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( - uint8_t (*randomness)[168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[168U], uint8_t(*)[168U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -3046,27 +3156,58 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( return done; } +/** +A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +*/ +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_57( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PortableHash xof_state = + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + seeds); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); + bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); + while (true) { + if (done) { + break; + } else { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); + done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); + } + } +} + /** A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_from_i16_array_ea(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_ea(); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_df( + Eurydice_slice a, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_from_i16_array_b8( - Eurydice_slice_subslice3(a, i0 * (size_t)16U, - (i0 + (size_t)1U) * (size_t)16U, - int16_t *)); - result.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice_subslice3(a, i0 * (size_t)16U, + (i0 + (size_t)1U) * (size_t)16U, int16_t *), + &result->coefficients[i0]); } - return result; } /** @@ -3080,116 +3221,63 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_from_i16_array_d6_ea(Eurydice_slice a) { - return libcrux_ml_kem_polynomial_from_i16_array_ea(a); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_2b( - void **_, int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return libcrux_ml_kem_polynomial_from_i16_array_d6_ea( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); -} - -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state = - libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_4a_e0( - seeds); - uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_4a_e0( - &xof_state, randomness0); - bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( - randomness0, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_4a_e0( - &xof_state, randomness); - done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( - randomness, sampled_coefficients, out); - } - } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_2b( - &lvalue, copy_of_out[i]); - } - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_slice a, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { + libcrux_ml_kem_polynomial_from_i16_array_df(a, out); } /** A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_2b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*A_transpose)[3U], - uint8_t *seed, bool transpose) { +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_57( + Eurydice_slice A_transpose, uint8_t *seed, bool transpose) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_2b(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; + int16_t out[3U][272U] = {{0U}}; + libcrux_ml_kem_sampling_sample_from_xof_57( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + uu____1, &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + uu____2, &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } } } @@ -3198,119 +3286,30 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_2b( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f( +libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_e2( Eurydice_slice public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - uu____0, unpacked_public_key->t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); - libcrux_ml_kem_matrix_sample_matrix_A_2b(uu____1, ret, false); -} - -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -- T_AS_NTT_ENCODED_SIZE= 1152 -*/ -static KRML_MUSTINLINE - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_3f( - Eurydice_slice public_key) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 - unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f(public_key, - &unpacked_public_key); - return unpacked_public_key; -} - -/** -A monomorphic instance of K. -with types libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector[3size_t], -libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector - -*/ -typedef struct tuple_ed_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d fst[3U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d snd; -} tuple_ed; - -/** -This function found in impl {core::ops::function::FnMut<(usize), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_f1 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -- C1_LEN= 960 -- U_COMPRESSION_FACTOR= 10 -- BLOCK_LEN= 320 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 -- ETA2= 2 -- ETA2_RANDOMNESS_SIZE= 128 -*/ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_85(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void libcrux_ml_kem_hash_functions_portable_PRFxN_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - uint8_t out[3U][128U] = {{0U}}; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t)); - } - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN_4a -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void libcrux_ml_kem_hash_functions_portable_PRFxN_4a_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - libcrux_ml_kem_hash_functions_portable_PRFxN_41(input, ret); + libcrux_ml_kem_matrix_sample_matrix_A_57(uu____1, ret, false); } /** @@ -3368,10 +3367,9 @@ libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_ea( - Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; +static KRML_MUSTINLINE void +libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_df( + Eurydice_slice randomness, Eurydice_slice sampled_i16s) { for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; @@ -3401,11 +3399,10 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_ea( int16_t outcome_2 = (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); size_t offset = (size_t)(outcome_set0 >> 2U); - sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; + Eurydice_slice_index(sampled_i16s, (size_t)8U * chunk_number + offset, + int16_t, int16_t *) = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_d6_ea( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3414,11 +3411,11 @@ libcrux_ml_kem.sampling.sample_from_binomial_distribution with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - ETA= 2 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_slice randomness) { - return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_ea( - randomness); + Eurydice_slice randomness, int16_t *output) { + libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_df( + randomness, Eurydice_array_to_slice((size_t)256U, output, int16_t)); } /** @@ -3427,19 +3424,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; i < step; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - re->coefficients[j + step], (int16_t)-1600); - re->coefficients[j + step] = - libcrux_ml_kem_vector_portable_sub_b8(re->coefficients[j], &t); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = - libcrux_ml_kem_vector_portable_add_b8(re->coefficients[j], &t); - re->coefficients[j] = uu____1; + scratch[0U] = re->coefficients[j + step]; + libcrux_ml_kem_vector_portable_multiply_by_constant_b8(scratch, + (int16_t)-1600); + re->coefficients[j + step] = re->coefficients[j]; + libcrux_ml_kem_vector_portable_add_b8(&re->coefficients[j], scratch); + libcrux_ml_kem_vector_portable_sub_b8(&re->coefficients[j + step], scratch); } } @@ -3450,23 +3446,25 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { - libcrux_ml_kem_ntt_ntt_at_layer_7_ea(re); +libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_ntt_ntt_at_layer_7_df(re, scratch); size_t zeta_i = (size_t)1U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch, (size_t)11207U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch, (size_t)11207U + (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea( - &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_ea( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df( + &zeta_i, re, (size_t)4U, scratch, + (size_t)11207U + (size_t)2U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_3_df( &zeta_i, re, (size_t)11207U + (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_ea( + libcrux_ml_kem_ntt_ntt_at_layer_2_df( &zeta_i, re, (size_t)11207U + (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_ea( + libcrux_ml_kem_ntt_ntt_at_layer_1_df( &zeta_i, re, (size_t)11207U + (size_t)5U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df(re); } /** @@ -3476,31 +3474,48 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_ea( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - ETA= 2 - ETA_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE= 384 */ static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re_as_ntt, - uint8_t *prf_input, uint8_t domain_separator) { +libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + Eurydice_slice re_as_ntt, uint8_t *prf_input, uint8_t domain_separator, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_portable_PRFxN_4a_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_array_to_slice((size_t)3U, prf_inputs, uint8_t[33U]), + Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - re_as_ntt[i0] = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_ea(&re_as_ntt[i0]); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + int16_t sample_buffer[256U] = {0U}; + libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_df( + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } return domain_separator; } @@ -3508,17 +3523,17 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_77 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -3526,10 +3541,12 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_85(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_fc(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -3538,31 +3555,44 @@ libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_85(void **_, size_t tupled_args) { /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - ETA2_RANDOMNESS_SIZE= 128 - ETA2= 2 +- PRF_OUTPUT_SIZE= 384 */ static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b( - uint8_t *prf_input, uint8_t domain_separator, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1) { +libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_40(uint8_t *prf_input, + uint8_t domain_separator, + Eurydice_slice error_1, + int16_t *sample_buffer) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_portable_PRFxN_4a_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + Eurydice_slice uu____1 = core_array___Array_T__N___as_slice( + (size_t)3U, prf_inputs, uint8_t[33U], Eurydice_slice); + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + uu____1, Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - error_1[i0] = uu____0; + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + error_1, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } return domain_separator; } @@ -3573,44 +3603,65 @@ with const generics - LEN= 128 */ static inline void libcrux_ml_kem_hash_functions_portable_PRF_a6( - Eurydice_slice input, uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_6e with const generics -- K= 3 - LEN= 128 */ -static inline void libcrux_ml_kem_hash_functions_portable_PRF_4a_410( - Eurydice_slice input, uint8_t ret[128U]) { - libcrux_ml_kem_hash_functions_portable_PRF_a6(input, ret); +static inline void libcrux_ml_kem_hash_functions_portable_PRF_6e_a6( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PRF_a6(input, out); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for libcrux_ml_kem::matrix::compute_vector_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.call_mut_a8 +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_88 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +- K_SQUARED= 9 +- C1_LEN= 960 +- U_COMPRESSION_FACTOR= 10 +- BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_fc(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); +} + +/** +A monomorphic instance of libcrux_ml_kem.matrix.entry with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_1b(void **_, - size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d * +libcrux_ml_kem_matrix_entry_1b(Eurydice_slice matrix, size_t i, size_t j) { + return &Eurydice_slice_index( + matrix, i * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *); } /** @@ -3619,22 +3670,17 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - myself->coefficients[j], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, - &error->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &myself->coefficients[j], (int16_t)1441); + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[j]); } } @@ -3649,10 +3695,10 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { - libcrux_ml_kem_polynomial_add_error_reduce_ea(self, error); + libcrux_ml_kem_polynomial_add_error_reduce_df(self, error); } /** @@ -3665,46 +3711,40 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - result[i] = - libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_1b(&lvalue, i); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]); - i0++) { + Eurydice_slice a_as_ntt, Eurydice_slice r_as_ntt, Eurydice_slice error_1, + Eurydice_slice result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = a_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i++) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result[i1], - &product); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = + libcrux_ml_kem_matrix_entry_1b(a_as_ntt, i1, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df( + uu____0, + &Eurydice_slice_index( + r_as_ntt, j, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_d6_ea(&result[i1], &error_1[i1]); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + libcrux_ml_kem_polynomial_add_error_reduce_d6_df( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + &Eurydice_slice_index( + error_1, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } - memcpy( - ret, result, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -3712,19 +3752,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)10, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -3736,10 +3774,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 10 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_b8_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_ef(a); +static inline void libcrux_ml_kem_vector_portable_compress_b8_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_ef(a); } /** @@ -3750,23 +3787,20 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_10_ff( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_compress_b8_ef( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re->coefficients[i0])); - uint8_t bytes[20U]; - libcrux_ml_kem_vector_portable_serialize_10_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)20U * i0, - (size_t)20U * i0 + (size_t)20U, uint8_t *), - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_compress_b8_ef(scratch); + libcrux_ml_kem_vector_portable_serialize_10_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)20U * i0, + (size_t)20U * i0 + (size_t)20U, uint8_t *)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -3778,10 +3812,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10_ff(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_10_ff(re, serialized, + scratch); } /** @@ -3798,7 +3833,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43( libcrux_ml_kem_polynomial_PolynomialRingElement_1d input[3U], - Eurydice_slice out) { + Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -3808,23 +3844,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *); - uint8_t ret[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe(&re, - ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe( + &re, + Eurydice_slice_subslice3( + out, i0 * ((size_t)960U / (size_t)3U), + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *), + scratch); } } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -3832,55 +3866,80 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_ed libcrux_ml_kem_ind_cpa_encrypt_c1_85( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c1_fc( Eurydice_slice randomness, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix)[3U], - Eurydice_slice ciphertext) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(randomness, prf_input); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - r_as_ntt[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_85(&lvalue, i); - } uint8_t domain_separator0 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b(r_as_ntt, prf_input, - 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + r_as_ntt, prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_85(&lvalue, i); + error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_fc(&lvalue, i); } - uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b( - prf_input, domain_separator0, error_1); + int16_t sampling_buffer[256U] = {0U}; + uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_40( + prf_input, domain_separator0, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + sampling_buffer); prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - libcrux_ml_kem_hash_functions_portable_PRF_4a_410( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + uint8_t prf_output[128U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRF_6e_a6( + Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t), + sampling_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sampling_buffer, int16_t), error_2); libcrux_ml_kem_polynomial_PolynomialRingElement_1d u[3U]; - libcrux_ml_kem_matrix_compute_vector_u_1b(matrix, r_as_ntt, error_1, u); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; - memcpy( - uu____0, u, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43(uu____0, ciphertext); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_fc(&lvalue, i); + } + libcrux_ml_kem_matrix_compute_vector_u_1b( + Eurydice_array_to_slice( + (size_t)9U, matrix, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + r_as_ntt, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + Eurydice_array_to_slice( + (size_t)3U, u, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch); /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_r_as_ntt[3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_u[3U]; memcpy( - copy_of_r_as_ntt, r_as_ntt, + copy_of_u, u, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - tuple_ed lit; - memcpy( - lit.fst, copy_of_r_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - lit.snd = error_2; - return lit; + libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43(copy_of_u, ciphertext, + scratch->coefficients); +} + +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.decompress_1 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_kem_vector_traits_decompress_1_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_negate_b8(vec); + libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8(vec, + (int16_t)1665); } /** @@ -3889,24 +3948,18 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_then_decompress_message_ea( - uint8_t *serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_message_df( + uint8_t *serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_compressed = - libcrux_ml_kem_vector_portable_deserialize_1_b8( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, - uint8_t *)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_1_b8(coefficient_compressed); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *), + &re->coefficients[i0]); + libcrux_ml_kem_vector_traits_decompress_1_df(&re->coefficients[i0]); } - return re; } /** @@ -3915,28 +3968,22 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_add_message_error_reduce_ea( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - result.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum1 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &message->coefficients[i0]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum2 = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, &sum1); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum2); - result.coefficients[i0] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &result->coefficients[i0], (int16_t)1441); + scratch[0U] = myself->coefficients[i0]; + libcrux_ml_kem_vector_portable_add_b8(scratch, &message->coefficients[i0]); + libcrux_ml_kem_vector_portable_add_b8(&result->coefficients[i0], scratch); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&result->coefficients[i0]); } - return result; } /** @@ -3950,13 +3997,14 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_add_message_error_reduce_d6_ea( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { - return libcrux_ml_kem_polynomial_add_message_error_reduce_ea(self, message, - result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_polynomial_add_message_error_reduce_df(self, message, result, + scratch); } /** @@ -3968,24 +4016,26 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_matrix_compute_ring_element_v_1b( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_ring_element_v_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(&t_as_ntt[i0], - &r_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df( + &t_as_ntt[i0], + &Eurydice_slice_index( + r_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result); - return libcrux_ml_kem_polynomial_add_message_error_reduce_d6_ea( - error_2, message, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(result, scratch); + libcrux_ml_kem_polynomial_add_message_error_reduce_d6_df( + error_2, message, result, scratch->coefficients); } /** @@ -3993,19 +4043,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)4, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -4017,10 +4065,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 4 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_b8_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_d1(a); +static inline void libcrux_ml_kem_vector_portable_compress_b8_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_d1(a); } /** @@ -4030,22 +4077,20 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_4_ea( +libcrux_ml_kem_serialize_compress_then_serialize_4_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, - Eurydice_slice serialized) { + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_compress_b8_d1( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re.coefficients[i0])); - uint8_t bytes[8U]; - libcrux_ml_kem_vector_portable_serialize_4_b8(coefficient, bytes); - Eurydice_slice_copy( + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re.coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_compress_b8_d1(scratch); + libcrux_ml_kem_vector_portable_serialize_4_b8( + scratch, Eurydice_slice_subslice3(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t *), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); + (size_t)8U * i0 + (size_t)8U, uint8_t *)); } } @@ -4059,8 +4104,9 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_6c( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) { - libcrux_ml_kem_serialize_compress_then_serialize_4_ea(re, out); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_4_df(re, out, scratch); } /** @@ -4073,16 +4119,20 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c2_6c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - uint8_t *message, Eurydice_slice ciphertext) { + uint8_t *message, Eurydice_slice ciphertext, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_ea(message); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_serialize_deserialize_then_decompress_message_df( + message, &message_as_ring_element); libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - libcrux_ml_kem_matrix_compute_ring_element_v_1b( - t_as_ntt, r_as_ntt, error_2, &message_as_ring_element); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_matrix_compute_ring_element_v_1b( + t_as_ntt, r_as_ntt, error_2, &message_as_ring_element, &v, scratch); libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_6c( - v, ciphertext); + v, ciphertext, scratch->coefficients); } /** @@ -4129,9 +4179,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c2_6c( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4143,38 +4193,32 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *public_key, - uint8_t *message, Eurydice_slice randomness, uint8_t ret[1088U]) { - uint8_t ciphertext[1088U] = {0U}; - tuple_ed uu____0 = libcrux_ml_kem_ind_cpa_encrypt_c1_85( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_28( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *public_key, + uint8_t *message, Eurydice_slice randomness, Eurydice_slice ciphertext, + Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + libcrux_ml_kem_ind_cpa_encrypt_c1_fc( randomness, public_key->A, - Eurydice_array_to_subslice3(ciphertext, (size_t)0U, (size_t)960U, - uint8_t *)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; - memcpy( - r_as_ntt, uu____0.fst, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = - public_key->t_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____2 = r_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____3 = &error_2; - uint8_t *uu____4 = message; + Eurydice_slice_subslice3(ciphertext, (size_t)0U, (size_t)960U, uint8_t *), + r_as_ntt, error_2, scratch); libcrux_ml_kem_ind_cpa_encrypt_c2_6c( - uu____1, uu____2, uu____3, uu____4, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, uint8_t[])); - memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); + public_key->t_as_ntt, r_as_ntt, error_2, message, + Eurydice_slice_subslice_from(ciphertext, (size_t)960U, uint8_t, size_t, + uint8_t[]), + scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4186,17 +4230,21 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_2a( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_28( Eurydice_slice public_key, uint8_t *message, Eurydice_slice randomness, - uint8_t ret[1088U]) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 - unpacked_public_key = - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_3f(public_key); - uint8_t ret0[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a(&unpacked_public_key, message, - randomness, ret0); - memcpy(ret, ret0, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be + unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_50_89(); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_e2(public_key, + &unpacked_public_key); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_28(&unpacked_public_key, message, + randomness, ciphertext, r_as_ntt, + error_2, scratch); } /** @@ -4205,17 +4253,14 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.kdf_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_d6( - Eurydice_slice shared_secret, uint8_t *_, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - shared_secret, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_1f( + Eurydice_slice shared_secret, uint8_t *_, Eurydice_slice out) { + Eurydice_slice_copy(out, shared_secret, uint8_t); } /** @@ -4224,9 +4269,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_d6( /** A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4241,9 +4287,11 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_d7( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -4253,9 +4301,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( Eurydice_slice ind_cpa_public_key = uu____0.snd; Eurydice_slice ind_cpa_public_key_hash = uu____0.thd; Eurydice_slice implicit_rejection_value = uu____0.f3; - uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_42(ind_cpa_secret_key, ciphertext->value, - decrypted); + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_decrypt_42( + ind_cpa_secret_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -4264,9 +4315,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t, uint8_t[]), ind_cpa_public_key_hash, uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -4280,32 +4332,47 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret0[32U]; - libcrux_ml_kem_hash_functions_portable_PRF_4a_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRF_6e_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret0); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_2a(ind_cpa_public_key, decrypted, - pseudorandomness, expected_ciphertext); - uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_variant_kdf_39_d6( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_d7(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_28( + ind_cpa_public_key, decrypted, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t implicit_rejection_shared_secret_kdf[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_1f( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - libcrux_ml_kem_variant_kdf_39_d6( - shared_secret0, libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - shared_secret); - uint8_t ret0[32U]; + ciphertext->value, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, + uint8_t)); + uint8_t shared_secret_kdf[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_1f( + shared_secret0, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t)); + uint8_t shared_secret[32U] = {0U}; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t), + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t), - ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t)); + memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); } /** @@ -4315,6 +4382,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4329,13 +4397,15 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static inline void -libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_35( +libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_62(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_d7(private_key, ciphertext, ret); } /** @@ -4348,7 +4418,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_35( static inline void libcrux_ml_kem_mlkem768_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_35( + libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_54( private_key, ciphertext, ret); } @@ -4358,38 +4428,60 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_9c( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - randomness, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_f0( + Eurydice_slice randomness, Eurydice_slice out) { + Eurydice_slice_copy(out, randomness, uint8_t); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::encapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.H_4a -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate.call_mut_c0 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static inline void libcrux_ml_kem_hash_functions_portable_H_4a_e0( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_portable_H(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_d9(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4402,49 +4494,69 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_d9( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - uint8_t randomness0[32U]; - libcrux_ml_kem_variant_entropy_preprocess_39_9c( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); + uint8_t processed_randomness[32U] = {0U}; + libcrux_ml_kem_variant_entropy_preprocess_39_f0( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t)); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, uint8_t[]); - uint8_t ret0[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( - Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_e6_d0(public_key), - uint8_t), - ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t), + to_hash); + Eurydice_slice uu____0 = Eurydice_array_to_slice( + (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + uu____0, Eurydice_array_to_subslice_from( + (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t, size_t, uint8_t[])); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_2a( + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext = + libcrux_ml_kem_types_default_73_80(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_d9(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_28( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - randomness0, pseudorandomness, ciphertext); + processed_randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext.value, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t shared_secret_array[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_1f( + shared_secret, ciphertext.value, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____2 = ciphertext; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_ciphertext[1088U]; - memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_c2 lit; - lit.fst = libcrux_ml_kem_types_from_e0_80(copy_of_ciphertext); - uint8_t ret[32U]; - libcrux_ml_kem_variant_kdf_39_d6(shared_secret, ciphertext, ret); - memcpy(lit.snd, ret, (size_t)32U * sizeof(uint8_t)); + lit.fst = uu____2; + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -4452,6 +4564,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4464,11 +4577,13 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_cd( +libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_encapsulate_ca(public_key, randomness); + return libcrux_ml_kem_ind_cca_encapsulate_d9(public_key, randomness); } /** @@ -4481,7 +4596,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_cd( static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_cd( + return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_35( public_key, randomness); } @@ -4501,7 +4616,7 @@ libcrux_ml_kem_ind_cpa_unpacked_default_70_1b(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 lit; libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_ea(); + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_df(); } memcpy( lit.secret_as_ntt, repeat_expression, @@ -4515,12 +4630,12 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.cpa_keygen_seed_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_9c( - Eurydice_slice key_generation_seed, uint8_t ret[64U]) { +static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_f0( + Eurydice_slice key_generation_seed, Eurydice_slice out) { uint8_t seed[33U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_subslice3( @@ -4529,10 +4644,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_9c( key_generation_seed, uint8_t); seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = (uint8_t)(size_t)3U; - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)33U, seed, uint8_t), out); } /** @@ -4540,23 +4653,26 @@ This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@3]> for libcrux_ml_kem::ind_cpa::generate_keypair_unpacked::closure[TraitClause@0, TraitClause@1, -TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +Scheme, K, K_SQUARED, ETA1, ETA1_RANDOMNESS_SIZE, +PRF_OUTPUT_SIZE1>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3, +TraitClause@4, TraitClause@5]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_73 with types +libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_ae with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_1c( +libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_b8( void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -4565,10 +4681,9 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_polynomial_to_standard_domain_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector) { - return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_to_standard_domain_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vector) { + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( vector, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -4580,22 +4695,16 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_ea( +libcrux_ml_kem_polynomial_add_standard_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_polynomial_to_standard_domain_ea( - myself->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, - &error->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_polynomial_to_standard_domain_df(&myself->coefficients[j]); + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[j]); } } @@ -4611,10 +4720,10 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_ea( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { - libcrux_ml_kem_polynomial_add_standard_error_reduce_ea(self, error); + libcrux_ml_kem_polynomial_add_standard_error_reduce_df(self, error); } /** @@ -4628,38 +4737,25 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix_A)[3U], + Eurydice_slice matrix_A, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]); - i++) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); + libcrux_ml_kem_polynomial_ZERO_d6_df(); t_as_ntt[i0] = uu____0; - for (size_t i1 = (size_t)0U; - i1 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i1++) { + for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { size_t j = i1; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = - &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(matrix_element, - &s_as_ntt[j]); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = + libcrux_ml_kem_matrix_entry_1b(matrix_A, i0, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df(uu____1, &s_as_ntt[j], + scratch); libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&t_as_ntt[i0], - &product); + scratch); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_ea( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_df( &t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -4708,47 +4804,62 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_b8( Eurydice_slice key_generation_seed, libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *private_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *public_key) { - uint8_t hashed[64U]; - libcrux_ml_kem_variant_cpa_keygen_seed_39_9c(key_generation_seed, hashed); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_variant_cpa_keygen_seed_39_f0( + key_generation_seed, + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] = - public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed_for_A, ret); - libcrux_ml_kem_matrix_sample_matrix_A_2b(uu____1, ret, true); + libcrux_ml_kem_matrix_sample_matrix_A_57(uu____1, ret, true); uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(seed_for_secret_and_error, prf_input); uint8_t domain_separator = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( - private_key->secret_as_ntt, prf_input, 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + Eurydice_array_to_slice( + (size_t)3U, private_key->secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; error_as_ntt[i] = - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_1c(&lvalue, + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_b8(&lvalue, i); } - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b(error_as_ntt, prf_input, - domain_separator); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + Eurydice_array_to_slice( + (size_t)3U, error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, domain_separator, scratch->coefficients); libcrux_ml_kem_matrix_compute_As_plus_e_1b( - public_key->t_as_ntt, public_key->A, private_key->secret_as_ntt, - error_as_ntt); + public_key->t_as_ntt, + Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + private_key->secret_as_ntt, error_as_ntt, scratch); uint8_t uu____2[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U], @@ -4764,23 +4875,20 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[384U]) { - uint8_t serialized[384U] = {0U}; +libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re->coefficients[i0]); - uint8_t bytes[24U]; - libcrux_ml_kem_vector_portable_serialize_12_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)24U * i0, - (size_t)24U * i0 + (size_t)24U, uint8_t *), - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_serialize_12_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)24U * i0, + (size_t)24U * i0 + (size_t)24U, uint8_t *)); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } /** @@ -4793,8 +4901,8 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, - Eurydice_slice out) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4804,14 +4912,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_1b( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = key[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *); - uint8_t ret[384U]; - libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_ea(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)384U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_df( + &re, scratch, + Eurydice_slice_subslice3( + out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *)); } } @@ -4827,40 +4933,23 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t *serialized) { + Eurydice_slice seed_for_a, Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { libcrux_ml_kem_ind_cpa_serialize_vector_1b( t_as_ntt, - Eurydice_array_to_subslice3( + Eurydice_slice_subslice3( serialized, (size_t)0U, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t *)); + uint8_t *), + scratch); Eurydice_slice_copy( - Eurydice_array_to_subslice_from( - (size_t)1184U, serialized, + Eurydice_slice_subslice_from( + serialized, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), uint8_t, size_t, uint8_t[]), seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics -- K= 3 -- PUBLIC_KEY_SIZE= 1184 -*/ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_89( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t ret[1184U]) { - uint8_t public_key_serialized[1184U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89(t_as_ntt, seed_for_a, - public_key_serialized); - memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); -} - /** Serialize the secret key from the unpacked key pair generation. */ @@ -4869,59 +4958,50 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_unpacked_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static inline libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_6c( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *private_key) { - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( +static inline void libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_43( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *public_key, + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *private_key, + Eurydice_slice serialized_private_key, Eurydice_slice serialized_public_key, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( public_key->t_as_ntt, Eurydice_array_to_slice((size_t)32U, public_key->seed_for_A, uint8_t), - public_key_serialized); - uint8_t secret_key_serialized[1152U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_vector_1b( - private_key->secret_as_ntt, - Eurydice_array_to_slice((size_t)1152U, secret_key_serialized, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_secret_key_serialized[1152U]; - memcpy(copy_of_secret_key_serialized, secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_public_key_serialized[1184U]; - memcpy(copy_of_public_key_serialized, public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, copy_of_secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - return lit; + serialized_public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_vector_1b(private_key->secret_as_ntt, + serialized_private_key, scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_generate_keypair_ea(Eurydice_slice key_generation_seed) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_90( + Eurydice_slice key_generation_seed, + Eurydice_slice serialized_ind_cpa_private_key, + Eurydice_slice serialized_public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 private_key = libcrux_ml_kem_ind_cpa_unpacked_default_70_1b(); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 public_key = - libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( - key_generation_seed, &private_key, &public_key); - return libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_6c(&public_key, - &private_key); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be public_key = + libcrux_ml_kem_ind_cpa_unpacked_default_50_89(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_b8( + key_generation_seed, &private_key, &public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_43( + &public_key, &private_key, serialized_ind_cpa_private_key, + serialized_public_key, scratch->coefficients); } /** @@ -4929,13 +5009,13 @@ libcrux_ml_kem_ind_cpa_generate_keypair_ea(Eurydice_slice key_generation_seed) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key_mut -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SERIALIZED_KEY_LEN= 2400 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( +libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_slice private_key, Eurydice_slice public_key, Eurydice_slice implicit_rejection_value, uint8_t *serialized) { size_t pointer = (size_t)0U; @@ -4957,41 +5037,23 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( uint8_t *), public_key, uint8_t); pointer = pointer + Eurydice_slice_len(public_key, uint8_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice3( - serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, - uint8_t *); - uint8_t ret[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0(public_key, ret); - Eurydice_slice_copy( - uu____6, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + public_key, + Eurydice_array_to_subslice3( + serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t *)); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = serialized; + uint8_t *uu____6 = serialized; + size_t uu____7 = pointer; size_t uu____8 = pointer; - size_t uu____9 = pointer; Eurydice_slice_copy( Eurydice_array_to_subslice3( - uu____7, uu____8, - uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uu____6, uu____7, + uu____8 + Eurydice_slice_len(implicit_rejection_value, uint8_t), uint8_t *), implicit_rejection_value, uint8_t); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] -with const generics -- K= 3 -- SERIALIZED_KEY_LEN= 2400 -*/ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { - uint8_t out[2400U] = {0U}; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( - private_key, public_key, implicit_rejection_value, out); - memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); -} - /** Packed API @@ -5003,17 +5065,19 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { +libcrux_ml_kem_ind_cca_generate_keypair_e6(uint8_t *randomness) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( randomness, (size_t)0U, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t *); @@ -5021,14 +5085,16 @@ libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_generate_keypair_ea(ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t public_key[1184U]; - memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - uint8_t secret_key_serialized[2400U]; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_generate_keypair_90( + ind_cpa_keypair_randomness, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + uint8_t secret_key_serialized[2400U] = {0U}; + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); @@ -5038,12 +5104,12 @@ libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = libcrux_ml_kem_types_from_77_28(copy_of_secret_key_serialized); - libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; + libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____1 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_17_74( - uu____2, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); + uu____1, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); } /** @@ -5054,16 +5120,18 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_generate_keypair_15(randomness); + return libcrux_ml_kem_ind_cca_generate_keypair_e6(randomness); } /** @@ -5071,7 +5139,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ce( */ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { - return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ce( + return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_06( randomness); } @@ -5082,19 +5150,19 @@ libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key_only -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 */ -static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( +static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_1f( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - uint8_t t[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( + uint8_t t[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_H_6e( Eurydice_array_to_subslice3(private_key->value, (size_t)384U * (size_t)3U, (size_t)768U * (size_t)3U + (size_t)32U, uint8_t *), - t); + Eurydice_array_to_slice((size_t)32U, t, uint8_t)); Eurydice_slice expected = Eurydice_array_to_subslice3( private_key->value, (size_t)768U * (size_t)3U + (size_t)32U, (size_t)768U * (size_t)3U + (size_t)64U, uint8_t *); @@ -5110,16 +5178,16 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_37( +static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_5d( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_d6(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_1f(private_key); } /** @@ -5137,7 +5205,7 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_31( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_37(private_key, + return libcrux_ml_kem_ind_cca_validate_private_key_5d(private_key, ciphertext); } @@ -5166,7 +5234,7 @@ const generics static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_only_41( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_d6(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_1f(private_key); } /** @@ -5184,51 +5252,20 @@ static inline bool libcrux_ml_kem_mlkem768_portable_validate_private_key_only( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::serialize::deserialize_ring_elements_reduced_out::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::validate_public_key::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.call_mut_0b with -types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const -generics +A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key.call_mut_00 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 +- PUBLIC_KEY_SIZE= 1184 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_1b( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); -} - -/** - This function deserializes ring elements and reduces the result by the field - modulus. - - This function MUST NOT be used on secret inputs. -*/ -/** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- K= 3 -*/ -static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - deserialized_pk[i] = - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_1b( - &lvalue, i); - } - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - public_key, deserialized_pk); - memcpy( - ret, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); +libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_89(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -5248,21 +5285,32 @@ with const generics static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_89( uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b( - Eurydice_array_to_subslice_to( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = deserialized_pk; - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( - uu____0, - Eurydice_array_to_subslice_from( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - public_key_serialized); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + deserialized_pk[i] = + libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_89(&lvalue, i); + } + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( + uu____0, Eurydice_array_to_slice( + (size_t)3U, deserialized_pk, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + uint8_t public_key_serialized[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = deserialized_pk; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( + uu____1, uu____2, + Eurydice_array_to_slice((size_t)1184U, public_key_serialized, uint8_t), + &scratch); return Eurydice_array_eq((size_t)1184U, public_key, public_key_serialized, uint8_t); } @@ -5299,13 +5347,14 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.MlKemPublicKeyUnpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0_s { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 ind_cpa_public_key; +typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be_s { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be ind_cpa_public_key; uint8_t public_key_hash[32U]; -} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0; +} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be; -typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 +typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768PublicKeyUnpacked; /** @@ -5323,15 +5372,58 @@ typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0_s { typedef struct libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked_s { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 private_key; - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 public_key; + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be public_key; } libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked; +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.decapsulate.call_mut_03 with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 +*/ +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_e7(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); +} + /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5346,14 +5438,19 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_e7( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - uint8_t decrypted[32U]; + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); libcrux_ml_kem_ind_cpa_decrypt_unpacked_42( - &key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); + &key_pair->private_key.ind_cpa_private_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -5365,9 +5462,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -5384,25 +5482,40 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_hash_functions_portable_PRF_4a_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRF_6e_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_e7(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_28( &key_pair->public_key.ind_cpa_public_key, decrypted, pseudorandomness, - expected_ciphertext); + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); - uint8_t ret0[32U]; + uint8_t shared_secret_array[32U] = {0U}; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + selector, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + memcpy(ret, shared_secret_array, (size_t)32U * sizeof(uint8_t)); } /** @@ -5413,6 +5526,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5427,13 +5541,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_35( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_54( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_51(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_e7(key_pair, ciphertext, ret); } /** @@ -5447,17 +5563,17 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_decapsulate( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_35( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_54( private_key, ciphertext, ret); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encaps_prepare -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_9c( +static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_f0( Eurydice_slice randomness, Eurydice_slice pk_hash, uint8_t ret[64U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24(randomness, to_hash); @@ -5466,18 +5582,58 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_9c( LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, size_t, uint8_t[]), pk_hash, uint8_t); - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + uint8_t output[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, output, uint8_t)); + memcpy(ret, output, (size_t)64U * sizeof(uint8_t)); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::encapsulate::closure[TraitClause@0, TraitClause@1, TraitClause@2, +TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.encapsulate.call_mut_f7 with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- VECTOR_U_BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_e2(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -5490,12 +5646,14 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_e2( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, uint8_t *randomness) { uint8_t hashed[64U]; - libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_9c( + libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_f0( Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t), @@ -5506,10 +5664,25 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c( Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____0.fst; Eurydice_slice pseudorandomness = uu____0.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a(&public_key->ind_cpa_public_key, - randomness, pseudorandomness, - ciphertext); + uint8_t ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_e2(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_28( + &public_key->ind_cpa_public_key, randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); uint8_t shared_secret_array[32U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), @@ -5537,6 +5710,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -5549,12 +5723,14 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ static KRML_MUSTINLINE tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_cd( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_35( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c(public_key, randomness); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_e2(public_key, randomness); } /** @@ -5566,9 +5742,9 @@ libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_cd( [`SHARED_SECRET_SIZE`] bytes of `randomness`. */ static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_unpacked_encapsulate( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_cd( + return libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_35( public_key, randomness); } @@ -5576,43 +5752,20 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_unpacked_encapsulate( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.call_mut_b4 with types +libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_5a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_1b( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); -} - -/** -This function found in impl {core::ops::function::FnMut<(usize), -@Array[TraitClause@0, -TraitClause@1], K>> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_7b with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- K= 3 -*/ -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_1b( - void **_, size_t tupled_args, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret[i] = libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_1b( - &lvalue, i); - } +libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_89(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -5627,7 +5780,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_clone_c1_ea( +libcrux_ml_kem_polynomial_clone_c1_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[16U]; @@ -5645,33 +5798,31 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ind_cpa_a[3U][3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U][3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_transpose_a_89( + Eurydice_slice ind_cpa_a, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[9U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_1b(&lvalue, i, - A[i]); + A[i] = + libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_89(&lvalue, i); } - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d _a_i[3U][3U]; - memcpy(_a_i, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { - size_t j = i1; + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_clone_c1_ea(&ind_cpa_a[j][i0]); - A[i0][j] = uu____0; + libcrux_ml_kem_polynomial_clone_c1_df( + libcrux_ml_kem_matrix_entry_1b(ind_cpa_a, j, i1)); + A[i1 * (size_t)3U + j] = uu____0; } } - memcpy(ret, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + memcpy( + ret, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -5680,16 +5831,18 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b( /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_15( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_e6( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *out) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( @@ -5699,39 +5852,42 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_15( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch0 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_b8( ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key, - &out->public_key.ind_cpa_public_key); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U][3U]; - memcpy(uu____0, out->public_key.ind_cpa_public_key.A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b(uu____0, A); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____1[3U][3U]; - memcpy(uu____1, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - memcpy(out->public_key.ind_cpa_public_key.A, uu____1, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - uint8_t pk_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( + &out->public_key.ind_cpa_public_key, &scratch0); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; + libcrux_ml_kem_ind_cca_unpacked_transpose_a_89( + Eurydice_array_to_slice( + (size_t)9U, out->public_key.ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + A); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[9U]; + memcpy( + uu____0, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + memcpy( + out->public_key.ind_cpa_public_key.A, uu____0, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + uint8_t pk_serialized[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( out->public_key.ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice( (size_t)32U, out->public_key.ind_cpa_public_key.seed_for_A, uint8_t), - pk_serialized); - uint8_t uu____2[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( - Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), uu____2); - memcpy(out->public_key.public_key_hash, uu____2, - (size_t)32U * sizeof(uint8_t)); - uint8_t uu____3[32U]; + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), &scratch); + libcrux_ml_kem_hash_functions_portable_H_6e( + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), + Eurydice_array_to_slice((size_t)32U, out->public_key.public_key_hash, + uint8_t)); + uint8_t uu____1[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value, Eurydice_slice, uint8_t[32U], TryFromSliceError); - unwrap_26_b3(dst, uu____3); - memcpy(out->private_key.implicit_rejection_value, uu____3, + unwrap_26_b3(dst, uu____1); + memcpy(out->private_key.implicit_rejection_value, uu____1, (size_t)32U * sizeof(uint8_t)); } @@ -5743,20 +5899,22 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_06( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_15(copy_of_randomness, out); + libcrux_ml_kem_ind_cca_unpacked_generate_keypair_e6(copy_of_randomness, out); } /** @@ -5770,50 +5928,52 @@ libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair_mut( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_ce( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_06( copy_of_randomness, key_pair); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_30 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_3f with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_default_30_1b(void) { +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be +libcrux_ml_kem_ind_cca_unpacked_default_3f_89(void) { return ( - KRML_CLITERAL(libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0){ - .ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(), + KRML_CLITERAL(libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be){ + .ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_50_89(), .public_key_hash = {0U}}); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_7b +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_7b_1b(void) { + libcrux_ml_kem_ind_cca_unpacked_default_b1_89(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____0 = { .ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_70_1b(), .implicit_rejection_value = {0U}}; return (KRML_CLITERAL( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked){ .private_key = uu____0, - .public_key = libcrux_ml_kem_ind_cca_unpacked_default_30_1b()}); + .public_key = libcrux_ml_kem_ind_cca_unpacked_default_3f_89()}); } /** @@ -5823,7 +5983,7 @@ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair( uint8_t randomness[64U]) { libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked key_pair = - libcrux_ml_kem_ind_cca_unpacked_default_7b_1b(); + libcrux_ml_kem_ind_cca_unpacked_default_b1_89(); uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair_mut(uu____0, @@ -5836,15 +5996,15 @@ libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair( */ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_7b_1b(); + return libcrux_ml_kem_ind_cca_unpacked_default_b1_89(); } /** Create a new, empty unpacked public key. */ -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be libcrux_ml_kem_mlkem768_portable_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_30_1b(); + return libcrux_ml_kem_ind_cca_unpacked_default_3f_89(); } /** @@ -5855,13 +6015,14 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.keys_from_private_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_42( +libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_df( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { @@ -5874,8 +6035,10 @@ libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_42( Eurydice_slice implicit_rejection_value = uu____0.f3; libcrux_ml_kem_ind_cpa_deserialize_vector_1b( ind_cpa_secret_key, - key_pair->private_key.ind_cpa_private_key.secret_as_ntt); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f( + Eurydice_array_to_slice( + (size_t)3U, key_pair->private_key.ind_cpa_private_key.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_e2( ind_cpa_public_key, &key_pair->public_key.ind_cpa_public_key); Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, @@ -5902,17 +6065,18 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.keypair_from_private_key with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_fd( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_ce( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_42(private_key, + libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_df(private_key, key_pair); } @@ -5924,37 +6088,40 @@ libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_from_private_mut( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_fd( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_ce( private_key, key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_42( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_6c( - &self->public_key.ind_cpa_public_key, - &self->private_key.ind_cpa_private_key); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t ind_cpa_public_key[1184U]; - memcpy(ind_cpa_public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t ind_cpa_public_key[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_43( + &self->public_key.ind_cpa_public_key, + &self->private_key.ind_cpa_private_key, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), + &scratch); + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), Eurydice_array_to_slice( @@ -5964,24 +6131,25 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPrivateKey_d9 -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_43( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_42( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { libcrux_ml_kem_types_MlKemPrivateKey_d9 sk = libcrux_ml_kem_types_default_d3_28(); - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43(self, &sk); + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_42(self, &sk); return sk; } @@ -5992,7 +6160,7 @@ static inline libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_private_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_43(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_42(key_pair); } /** @@ -6002,50 +6170,57 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_private_key_mut( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_42(key_pair, serialized); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_6a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_dd_89( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) { - uint8_t ret[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( +libcrux_ml_kem_ind_cca_unpacked_serialized_6a_6c( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *self) { + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - ret); - return libcrux_ml_kem_types_from_fd_d0(ret); + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); + return libcrux_ml_kem_types_from_fd_d0(copy_of_public_key); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_89( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_6c( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_dd_89(&self->public_key); + return libcrux_ml_kem_ind_cca_unpacked_serialized_6a_6c(&self->public_key); } /** @@ -6055,49 +6230,54 @@ static inline libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_89(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_6c(key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_6a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_89( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self, +libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_6c( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - serialized->value); + Eurydice_array_to_slice((size_t)1184U, serialized->value, uint8_t), + &scratch); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_89( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_6c( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_89(&self->public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_6c(&self->public_key, serialized); } @@ -6108,24 +6288,25 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key_mut( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_89(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_6c(key_pair, serialized); } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_91 +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_1c with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cpa_unpacked_clone_91_1b( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *self) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be +libcrux_ml_kem_ind_cpa_unpacked_clone_1c_89( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)3U, self->t_as_ntt, uu____0, @@ -6133,38 +6314,39 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_91_1b( uint8_t uu____1[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->seed_for_A, uu____1, uint8_t, void *); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U][3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[9U]; core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)3U, self->A, ret, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U], void *); - memcpy(lit.A, ret, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + (size_t)9U, self->A, ret, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, void *); + memcpy( + lit.A, ret, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); return lit; } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_d7 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_86 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_clone_d7_1b( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit; +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be +libcrux_ml_kem_ind_cca_unpacked_clone_86_89( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *self) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be lit; lit.ind_cpa_public_key = - libcrux_ml_kem_ind_cpa_unpacked_clone_91_1b(&self->ind_cpa_public_key); + libcrux_ml_kem_ind_cpa_unpacked_clone_1c_89(&self->ind_cpa_public_key); uint8_t ret[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->public_key_hash, ret, uint8_t, void *); @@ -6174,17 +6356,18 @@ libcrux_ml_kem_ind_cca_unpacked_clone_d7_1b( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_11 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 * -libcrux_ml_kem_ind_cca_unpacked_public_key_11_1b( +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be * +libcrux_ml_kem_ind_cca_unpacked_public_key_b1_89( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -6194,10 +6377,10 @@ libcrux_ml_kem_ind_cca_unpacked_public_key_11_1b( */ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *pk) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_d7_1b( - libcrux_ml_kem_ind_cca_unpacked_public_key_11_1b(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *pk) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be uu____0 = + libcrux_ml_kem_ind_cca_unpacked_clone_86_89( + libcrux_ml_kem_ind_cca_unpacked_public_key_b1_89(key_pair)); pk[0U] = uu____0; } @@ -6206,9 +6389,9 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key( */ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_89(public_key, serialized); + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_6c(public_key, serialized); } /** @@ -6216,22 +6399,25 @@ libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.unpack_public_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +with types libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_0a( +libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_1e( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_array_to_subslice_to((size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->ind_cpa_public_key.t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); uint8_t uu____1[32U]; libcrux_ml_kem_utils_into_padded_array_9e( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, @@ -6240,23 +6426,22 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_0a( uu____1); memcpy(unpacked_public_key->ind_cpa_public_key.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____2)[3U] = - unpacked_public_key->ind_cpa_public_key.A; + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t, uint8_t[]), ret); - libcrux_ml_kem_matrix_sample_matrix_A_2b(uu____2, ret, false); - uint8_t uu____3[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( + libcrux_ml_kem_matrix_sample_matrix_A_57(uu____2, ret, false); + libcrux_ml_kem_hash_functions_portable_H_6e( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - uu____3); - memcpy(unpacked_public_key->public_key_hash, uu____3, - (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, unpacked_public_key->public_key_hash, + uint8_t)); } /** @@ -6267,15 +6452,16 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.unpack_public_key with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_31( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_a5( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *unpacked_public_key) { - libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_0a(public_key, + libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_1e(public_key, unpacked_public_key); } @@ -6285,9 +6471,9 @@ libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_31( static inline void libcrux_ml_kem_mlkem768_portable_unpacked_unpacked_public_key( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_31( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_a5( public_key, unpacked_public_key); } diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem_core.h b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem_core.h index 90e250dd9..3848cb9f6 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem_core.h +++ b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_mlkem_core.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem_core_H @@ -42,8 +42,6 @@ static inline uint32_t core_num__u8__count_ones(uint8_t x0); static inline uint8_t core_num__u8__wrapping_sub(uint8_t x0, uint8_t x1); -#define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) - #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U) #define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) @@ -60,6 +58,8 @@ static inline uint8_t core_num__u8__wrapping_sub(uint8_t x0, uint8_t x1); #define LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE ((size_t)32U) +#define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) + /** K * BITS_PER_RING_ELEMENT / 8 @@ -315,84 +315,6 @@ static KRML_MUSTINLINE int16_t libcrux_secrets_int_as_i16_f5(int16_t self) { libcrux_secrets_int_public_integers_declassify_d8_39(self)); } -typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair768_s { - uint8_t fst[1152U]; - uint8_t snd[1184U]; -} libcrux_ml_kem_utils_extraction_helper_Keypair768; - -#define Ok 0 -#define Err 1 - -typedef uint8_t Result_b2_tags; - -/** -A monomorphic instance of core.result.Result -with types uint8_t[24size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_b2_s { - Result_b2_tags tag; - union { - uint8_t case_Ok[24U]; - TryFromSliceError case_Err; - } val; -} Result_b2; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[24size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_70(Result_b2 self, uint8_t ret[24U]) { - if (self.tag == Ok) { - uint8_t f0[24U]; - memcpy(f0, self.val.case_Ok, (size_t)24U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)24U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - -/** -A monomorphic instance of core.result.Result -with types uint8_t[20size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_e1_s { - Result_b2_tags tag; - union { - uint8_t case_Ok[20U]; - TryFromSliceError case_Err; - } val; -} Result_e1; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[20size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_20(Result_e1 self, uint8_t ret[20U]) { - if (self.tag == Ok) { - uint8_t f0[20U]; - memcpy(f0, self.val.case_Ok, (size_t)20U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)20U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - /** Pad the `slice` with `0`s at the end. */ @@ -436,6 +358,29 @@ libcrux_ml_kem_types_default_d3_28(void) { KRML_CLITERAL(libcrux_ml_kem_types_MlKemPrivateKey_d9){.value = {0U}}); } +typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s { + uint8_t value[1088U]; +} libcrux_ml_kem_mlkem768_MlKem768Ciphertext; + +/** +This function found in impl {core::convert::From<@Array> for +libcrux_ml_kem::types::MlKemCiphertext} +*/ +/** +A monomorphic instance of libcrux_ml_kem.types.from_e0 +with const generics +- SIZE= 1088 +*/ +static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext +libcrux_ml_kem_types_from_e0_80(uint8_t value[1088U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1088U]; + memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; + memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); + return lit; +} + /** A monomorphic instance of libcrux_ml_kem.types.MlKemPublicKey with const generics @@ -505,13 +450,18 @@ libcrux_ml_kem_types_from_77_28(uint8_t value[2400U]) { return lit; } +#define Ok 0 +#define Err 1 + +typedef uint8_t Result_fb_tags; + /** A monomorphic instance of core.result.Result with types uint8_t[32size_t], core_array_TryFromSliceError */ typedef struct Result_fb_s { - Result_b2_tags tag; + Result_fb_tags tag; union { uint8_t case_Ok[32U]; TryFromSliceError case_Err; @@ -539,10 +489,6 @@ static inline void unwrap_26_b3(Result_fb self, uint8_t ret[32U]) { } } -typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s { - uint8_t value[1088U]; -} libcrux_ml_kem_mlkem768_MlKem768Ciphertext; - /** A monomorphic instance of K. with types libcrux_ml_kem_types_MlKemCiphertext[[$1088size_t]], @@ -555,22 +501,18 @@ typedef struct tuple_c2_s { } tuple_c2; /** -This function found in impl {core::convert::From<@Array> for +This function found in impl {core::default::Default for libcrux_ml_kem::types::MlKemCiphertext} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_e0 +A monomorphic instance of libcrux_ml_kem.types.default_73 with const generics - SIZE= 1088 */ static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext -libcrux_ml_kem_types_from_e0_80(uint8_t value[1088U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_value[1088U]; - memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; - memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); - return lit; +libcrux_ml_kem_types_default_73_80(void) { + return ( + KRML_CLITERAL(libcrux_ml_kem_mlkem768_MlKem768Ciphertext){.value = {0U}}); } /** @@ -586,19 +528,6 @@ static inline uint8_t *libcrux_ml_kem_types_as_slice_e6_d0( return self->value; } -/** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext} -*/ -/** -A monomorphic instance of libcrux_ml_kem.types.as_slice_a9 -with const generics -- SIZE= 1088 -*/ -static inline uint8_t *libcrux_ml_kem_types_as_slice_a9_80( - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { - return self->value; -} - /** A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc with const generics @@ -749,75 +678,6 @@ libcrux_ml_kem_types_unpack_private_key_b4(Eurydice_slice private_key) { .f3 = implicit_rejection_value}); } -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[24size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_d2(uint8_t self[24U], - uint8_t ret[24U]) { - memcpy(ret, self, (size_t)24U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[20size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_57(uint8_t self[20U], - uint8_t ret[20U]) { - memcpy(ret, self, (size_t)20U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[8size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_76(uint8_t self[8U], - uint8_t ret[8U]) { - memcpy(ret, self, (size_t)8U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[2size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_d4(uint8_t self[2U], - uint8_t ret[2U]) { - memcpy(ret, self, (size_t)2U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Classify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.classify_27 -with types int16_t[16size_t] - -*/ -static KRML_MUSTINLINE void libcrux_secrets_int_public_integers_classify_27_46( - int16_t self[16U], int16_t ret[16U]) { - memcpy(ret, self, (size_t)16U * sizeof(int16_t)); -} - /** This function found in impl {libcrux_secrets::traits::ClassifyRef<&'a (@Slice)> for &'a (@Slice)} @@ -847,37 +707,16 @@ libcrux_secrets_int_classify_public_classify_ref_9b_39(Eurydice_slice self) { } /** -A monomorphic instance of core.result.Result -with types int16_t[16size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_0a_s { - Result_b2_tags tag; - union { - int16_t case_Ok[16U]; - TryFromSliceError case_Err; - } val; -} Result_0a; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} +This function found in impl {libcrux_secrets::traits::Classify for T} */ /** -A monomorphic instance of core.result.unwrap_26 -with types int16_t[16size_t], core_array_TryFromSliceError +A monomorphic instance of libcrux_secrets.int.public_integers.classify_27 +with types int16_t[16size_t] */ -static inline void unwrap_26_00(Result_0a self, int16_t ret[16U]) { - if (self.tag == Ok) { - int16_t f0[16U]; - memcpy(f0, self.val.case_Ok, (size_t)16U * sizeof(int16_t)); - memcpy(ret, f0, (size_t)16U * sizeof(int16_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } +static KRML_MUSTINLINE void libcrux_secrets_int_public_integers_classify_27_46( + int16_t self[16U], int16_t ret[16U]) { + memcpy(ret, self, (size_t)16U * sizeof(int16_t)); } /** @@ -886,7 +725,7 @@ with types uint8_t[8size_t], core_array_TryFromSliceError */ typedef struct Result_15_s { - Result_b2_tags tag; + Result_fb_tags tag; union { uint8_t case_Ok[8U]; TryFromSliceError case_Err; diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_avx2.h b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_avx2.h index bc5445574..ee87f927a 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_avx2.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_portable.h b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_portable.h index 0d3553d5b..21e6d0f85 100644 --- a/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/extracts/c_header_only/generated/libcrux_sha3_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_sha3_portable_H diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/code_gen.txt b/libcrux-ml-kem/extracts/cpp_header_only/generated/code_gen.txt index a689f6d37..575a786c5 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/code_gen.txt +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/code_gen.txt @@ -2,5 +2,5 @@ This code was generated with the following revisions: Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b -F*: 71d8221589d4d438af3706d89cb653cf53e18aab -Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc +F*: unset +Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/eurydice_glue.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/eurydice_glue.h index a5d486a9c..e44250879 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/eurydice_glue.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/eurydice_glue.h @@ -1,10 +1,3 @@ -/* - * SPDX-FileCopyrightText: 2024 Eurydice Contributors - * SPDX-FileCopyrightText: 2024-2025 Cryspen Sarl - * - * SPDX-License-Identifier: MIT or Apache-2.0 - */ - #pragma once #include @@ -25,6 +18,10 @@ #if defined(__cplusplus) +#ifndef KRML_HOST_EPRINTF +#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#endif + #include #ifndef __cpp_lib_type_identity @@ -52,6 +49,15 @@ using std::type_identity_t; #define LowStar_Ignore_ignore(e, t, _ret_t) ((void)e) +#define EURYDICE_ASSERT(test, msg) \ + do { \ + if (!(test)) { \ + fprintf(stderr, "assertion \"%s\" failed: file \"%s\", line %d\n", msg, \ + __FILE__, __LINE__); \ + exit(255); \ + } \ + } while (0) + // SLICES, ARRAYS, ETC. // We represent a slice as a pair of an (untyped) pointer, along with the length @@ -65,7 +71,7 @@ using std::type_identity_t; // // Empty slices have `len == 0` and `ptr` always needs to be a valid pointer // that is not NULL (otherwise the construction in EURYDICE_SLICE computes `NULL -// + start`). +// + start`). 20250714: this is fine since C23. typedef struct { void *ptr; size_t len; @@ -89,7 +95,7 @@ typedef struct { // cast to something that can decay (see remark above about how pointer // arithmetic works in C), meaning either pointer or array type. #define EURYDICE_SLICE(x, start, end) \ - (KRML_CLITERAL(Eurydice_slice){(void *)(x + start), end - start}) + (KRML_CLITERAL(Eurydice_slice){(void *)(x + start), end - (start)}) // Slice length #define EURYDICE_SLICE_LEN(s, _) (s).len @@ -129,13 +135,13 @@ typedef struct { #define Eurydice_array_to_subslice(_arraylen, x, r, t, _0, _1) \ EURYDICE_SLICE((t *)x, r.start, r.end) -// Same as above, variant for when start and end are statically known -#define Eurydice_array_to_subslice2(x, start, end, t) \ - EURYDICE_SLICE((t *)x, (start), (end)) - // Same as above, variant for when start and end are statically known #define Eurydice_array_to_subslice3(x, start, end, t_ptr) \ EURYDICE_SLICE((t_ptr)x, (start), (end)) + +#define Eurydice_array_repeat(dst, len, init, t) \ + ERROR "should've been desugared" + // The following functions convert an array into a slice. #define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t, _0) \ @@ -160,20 +166,26 @@ typedef struct { len, src, dst, elem_type, _ret_t) \ (memcpy(dst, src, len * sizeof(elem_type))) #define TryFromSliceError uint8_t +#define core_array_TryFromSliceError uint8_t +// Distinguished support for some PartialEq trait implementations +// +// core::cmp::PartialEq<@Array> for @Array #define Eurydice_array_eq(sz, a1, a2, t) (memcmp(a1, a2, sz * sizeof(t)) == 0) - // core::cmp::PartialEq<&0 (@Slice)> for @Array #define Eurydice_array_eq_slice(sz, a1, s2, t, _) \ (memcmp(a1, (s2)->ptr, sz * sizeof(t)) == 0) -#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( \ +// DEPRECATED -- should no longer be generated +#define core_array_equality__core__cmp__PartialEq__Array_U__N___for__Array_T__N___eq( \ + sz, a1, a2, t, _, _ret_t) \ + Eurydice_array_eq(sz, a1, a2, t) +#define core_array_equality__core__cmp__PartialEq__0___Slice_U____for__Array_T__N___eq( \ sz, a1, a2, t, _, _ret_t) \ - Eurydice_array_eq(sz, a1, a2, t, _) - -#define core_array_equality___core__cmp__PartialEq__0___Slice_U____for__Array_T__N___3__eq( \ - sz, a1, a2, t, _, _ret_t) \ - Eurydice_array_eq(sz, a1, ((a2)->ptr), t, _) + Eurydice_array_eq(sz, a1, ((a2)->ptr), t) +#define core_cmp_impls__core__cmp__PartialEq__0_mut__B___for__1_mut__A___eq( \ + _m0, _m1, src1, src2, _0, _1, T) \ + Eurydice_slice_eq(src1, src2, _, _, T, _) #define Eurydice_slice_split_at(slice, mid, element_type, ret_t) \ KRML_CLITERAL(ret_t) { \ @@ -191,7 +203,7 @@ typedef struct { EURYDICE_CFIELD(.snd =) KRML_CLITERAL(Eurydice_slice) { \ EURYDICE_CFIELD(.ptr =) \ ((char *)slice.ptr + mid * sizeof(element_type)), \ - EURYDICE_CFIELD(.len =)(slice.len - mid) \ + EURYDICE_CFIELD(.len =)(slice.len - (mid)) \ } \ } @@ -202,29 +214,105 @@ typedef struct { Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ sizeof(t_arr)) -static KRML_MUSTINLINE void Eurydice_slice_to_array3(uint8_t *dst_tag, - char *dst_ok, - Eurydice_slice src, - size_t sz) { +#define Eurydice_slice_to_ref_array(len_, src, t_ptr, t_arr, t_err, t_res) \ + (src.len >= len_ \ + ? ((t_res){.tag = core_result_Ok, .val = {.case_Ok = src.ptr}}) \ + : ((t_res){.tag = core_result_Err, .val = {.case_Err = 0}})) + +static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, + Eurydice_slice src, size_t sz) { *dst_tag = 0; memcpy(dst_ok, src.ptr, sz); } +// SUPPORT FOR DSTs (Dynamically-Sized Types) + +// A DST is a fat pointer that keeps tracks of the size of it flexible array +// member. Slices are a specific case of DSTs, where [T; N] implements +// Unsize<[T]>, meaning an array of statically known size can be converted to a +// fat pointer, i.e. a slice. +// +// Unlike slices, DSTs have a built-in definition that gets monomorphized, of +// the form: +// +// typedef struct { +// T *ptr; +// size_t len; // number of elements +// } Eurydice_dst; +// +// Furthermore, T = T0<[U0]> where `struct T0`, where the `U` is the +// last field. This means that there are two monomorphizations of T0 in the +// program. One is `T0<[V; N]>` +// -- this is directly converted to a Eurydice_dst via suitable codegen (no +// macro). The other is `T = T0<[U]>`, where `[U]` gets emitted to +// `Eurydice_derefed_slice`, a type that only appears in that precise situation +// and is thus defined to give rise to a flexible array member. + +typedef char Eurydice_derefed_slice[]; + +#define Eurydice_slice_of_dst(fam_ptr, len_, t, _) \ + ((Eurydice_slice){.ptr = (void *)(fam_ptr), .len = len_}) + +#define Eurydice_slice_of_boxed_array(ptr_, len_, t, _) \ + ((Eurydice_slice){.ptr = (void *)(ptr_), .len = len_}) + // CORE STUFF (conversions, endianness, ...) -static KRML_MUSTINLINE void core_num__u64__to_le_bytes(uint64_t v, - uint8_t buf[8]) { +// We slap extern "C" on declarations that intend to implement a prototype +// generated by Eurydice, because Eurydice prototypes are always emitted within +// an extern "C" block, UNLESS you use -fcxx17-compat, in which case, you must +// pass -DKRML_CXX17_COMPAT="" to your C++ compiler. +#if defined(__cplusplus) && !defined(KRML_CXX17_COMPAT) +extern "C" { +#endif + +static inline uint16_t core_num__u16__from_le_bytes(uint8_t buf[2]) { + return load16_le(buf); +} + +static inline void core_num__u32__to_be_bytes(uint32_t src, uint8_t dst[4]) { + // TODO: why not store32_be? + uint32_t x = htobe32(src); + memcpy(dst, &x, 4); +} + +static inline void core_num__u32__to_le_bytes(uint32_t src, uint8_t dst[4]) { + store32_le(dst, src); +} + +static inline uint32_t core_num__u32__from_le_bytes(uint8_t buf[4]) { + return load32_le(buf); +} + +static inline void core_num__u64__to_le_bytes(uint64_t v, uint8_t buf[8]) { store64_le(buf, v); } -static KRML_MUSTINLINE uint64_t core_num__u64__from_le_bytes(uint8_t buf[8]) { + +static inline uint64_t core_num__u64__from_le_bytes(uint8_t buf[8]) { return load64_le(buf); } -static KRML_MUSTINLINE uint32_t core_num__u32__from_le_bytes(uint8_t buf[4]) { - return load32_le(buf); +static inline int64_t core_convert_num__core__convert__From_i32__for_i64__from( + int32_t x) { + return x; +} + +static inline uint64_t core_convert_num__core__convert__From_u8__for_u64__from( + uint8_t x) { + return x; } -static KRML_MUSTINLINE uint32_t core_num__u8__count_ones(uint8_t x0) { +static inline uint64_t core_convert_num__core__convert__From_u16__for_u64__from( + uint16_t x) { + return x; +} + +static inline size_t core_convert_num__core__convert__From_u16__for_usize__from( + uint16_t x) { + return x; +} + +static inline uint32_t core_num__u8__count_ones(uint8_t x0) { #ifdef _MSC_VER return __popcnt(x0); #else @@ -232,21 +320,118 @@ static KRML_MUSTINLINE uint32_t core_num__u8__count_ones(uint8_t x0) { #endif } +static inline uint32_t core_num__u32__count_ones(uint32_t x0) { +#ifdef _MSC_VER + return __popcnt(x0); +#else + return __builtin_popcount(x0); +#endif +} + +static inline uint32_t core_num__i32__count_ones(int32_t x0) { +#ifdef _MSC_VER + return __popcnt(x0); +#else + return __builtin_popcount(x0); +#endif +} + +static inline size_t core_cmp_impls__core__cmp__Ord_for_usize__min(size_t a, + size_t b) { + if (a <= b) + return a; + else + return b; +} + // unsigned overflow wraparound semantics in C -static KRML_MUSTINLINE uint16_t core_num__u16__wrapping_add(uint16_t x, - uint16_t y) { +static inline uint8_t core_num__u8__wrapping_sub(uint8_t x, uint8_t y) { + return x - y; +} +static inline uint8_t core_num__u8__wrapping_add(uint8_t x, uint8_t y) { return x + y; } -static KRML_MUSTINLINE uint8_t core_num__u8__wrapping_sub(uint8_t x, - uint8_t y) { +static inline uint8_t core_num__u8__wrapping_mul(uint8_t x, uint8_t y) { + return x * y; +} +static inline uint16_t core_num__u16__wrapping_sub(uint16_t x, uint16_t y) { + return x - y; +} +static inline uint16_t core_num__u16__wrapping_add(uint16_t x, uint16_t y) { + return x + y; +} +static inline uint16_t core_num__u16__wrapping_mul(uint16_t x, uint16_t y) { + return x * y; +} +static inline uint32_t core_num__u32__wrapping_sub(uint32_t x, uint32_t y) { return x - y; } +static inline uint32_t core_num__u32__wrapping_add(uint32_t x, uint32_t y) { + return x + y; +} +static inline uint32_t core_num__u32__wrapping_mul(uint32_t x, uint32_t y) { + return x * y; +} +static inline uint64_t core_num__u64__wrapping_sub(uint64_t x, uint64_t y) { + return x - y; +} +static inline uint64_t core_num__u64__wrapping_add(uint64_t x, uint64_t y) { + return x + y; +} +static inline uint64_t core_num__u64__wrapping_mul(uint64_t x, uint64_t y) { + return x * y; +} +static inline size_t core_num__usize__wrapping_sub(size_t x, size_t y) { + return x - y; +} +static inline size_t core_num__usize__wrapping_add(size_t x, size_t y) { + return x + y; +} +static inline size_t core_num__usize__wrapping_mul(size_t x, size_t y) { + return x * y; +} + +static inline uint64_t core_num__u64__rotate_left(uint64_t x0, uint32_t x1) { + return (x0 << x1) | (x0 >> ((-x1) & 63)); +} + +static inline void core_ops_arith__i32__add_assign(int32_t *x0, int32_t *x1) { + *x0 = *x0 + *x1; +} + +static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *p, uint8_t v) { + return (*p) & v; +} +static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) { + return (*p) >> v; +} +static inline uint32_t Eurydice_min_u32(uint32_t x, uint32_t y) { + return x < y ? x : y; +} + +static inline uint8_t +core_ops_bit__core__ops__bit__BitAnd_u8__u8__for___a__u8___bitand(uint8_t *x0, + uint8_t x1) { + return Eurydice_bitand_pv_u8(x0, x1); +} -static KRML_MUSTINLINE uint64_t core_num__u64__rotate_left(uint64_t x0, - uint32_t x1) { - return (x0 << x1 | x0 >> (64 - x1)); +static inline uint8_t +core_ops_bit__core__ops__bit__Shr_i32__u8__for___a__u8___shr(uint8_t *x0, + int32_t x1) { + return Eurydice_shr_pv_u8(x0, x1); } +#define core_num_nonzero_private_NonZeroUsizeInner size_t +static inline core_num_nonzero_private_NonZeroUsizeInner +core_num_nonzero_private___core__clone__Clone_for_core__num__nonzero__private__NonZeroUsizeInner___clone( + core_num_nonzero_private_NonZeroUsizeInner *x0) { + return *x0; +} + +#if defined(__cplusplus) && !defined(KRML_CXX17_COMPAT) +} +#endif + // ITERATORS #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \ @@ -256,10 +441,188 @@ static KRML_MUSTINLINE uint64_t core_num__u64__rotate_left(uint64_t x0, : (KRML_CLITERAL(ret_t){EURYDICE_CFIELD(.tag =) 1, \ EURYDICE_CFIELD(.f0 =)(iter_ptr)->start++})) -#define core_iter_range___core__iter__traits__iterator__Iterator_A__for_core__ops__range__Range_A__TraitClause_0___6__next \ +#define core_iter_range__core__iter__traits__iterator__Iterator_A__for_core__ops__range__Range_A__TraitClause_0___next \ Eurydice_range_iter_next // See note in karamel/lib/Inlining.ml if you change this #define Eurydice_into_iter(x, t, _ret_t, _) (x) -#define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_Clause1_Item__I__for_I__1__into_iter \ +#define core_iter_traits_collect__core__iter__traits__collect__IntoIterator_Clause1_Item__I__for_I__into_iter \ Eurydice_into_iter + +typedef struct { + Eurydice_slice slice; + size_t chunk_size; +} Eurydice_chunks; + +// Can't use macros Eurydice_slice_subslice_{to,from} because they require a +// type, and this static inline function cannot receive a type as an argument. +// Instead, we receive the element size and use it to peform manual offset +// computations rather than going through the macros. +static inline Eurydice_slice chunk_next(Eurydice_chunks *chunks, + size_t element_size) { + size_t chunk_size = chunks->slice.len >= chunks->chunk_size + ? chunks->chunk_size + : chunks->slice.len; + Eurydice_slice curr_chunk; + curr_chunk.ptr = chunks->slice.ptr; + curr_chunk.len = chunk_size; + chunks->slice.ptr = (char *)(chunks->slice.ptr) + chunk_size * element_size; + chunks->slice.len = chunks->slice.len - chunk_size; + return curr_chunk; +} + +#define core_slice___Slice_T___chunks(slice_, sz_, t, _ret_t) \ + ((Eurydice_chunks){.slice = slice_, .chunk_size = sz_}) +#define core_slice___Slice_T___chunks_exact(slice_, sz_, t, _ret_t) \ + ((Eurydice_chunks){ \ + .slice = {.ptr = slice_.ptr, .len = slice_.len - (slice_.len % sz_)}, \ + .chunk_size = sz_}) +#define core_slice_iter_Chunks Eurydice_chunks +#define core_slice_iter_ChunksExact Eurydice_chunks +#define Eurydice_chunks_next(iter, t, ret_t) \ + (((iter)->slice.len == 0) ? ((ret_t){.tag = core_option_None}) \ + : ((ret_t){.tag = core_option_Some, \ + .f0 = chunk_next(iter, sizeof(t))})) +#define core_slice_iter__core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___next \ + Eurydice_chunks_next +// This name changed on 20240627 +#define core_slice_iter__core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___next \ + Eurydice_chunks_next +#define core_slice_iter__core__slice__iter__ChunksExact__a__T__89__next( \ + iter, t, _ret_t) \ + core_slice_iter__core__slice__iter__Chunks__a__T__70__next(iter, t) + +typedef struct { + Eurydice_slice s; + size_t index; +} Eurydice_slice_iterator; + +#define core_slice___Slice_T___iter(x, t, _ret_t) \ + ((Eurydice_slice_iterator){.s = x, .index = 0}) +#define core_slice_iter_Iter Eurydice_slice_iterator +#define core_slice_iter__core__slice__iter__Iter__a__T__next(iter, t, ret_t) \ + (((iter)->index == (iter)->s.len) \ + ? (KRML_CLITERAL(ret_t){.tag = core_option_None}) \ + : (KRML_CLITERAL(ret_t){ \ + .tag = core_option_Some, \ + .f0 = ((iter)->index++, \ + &((t *)((iter)->s.ptr))[(iter)->index - 1])})) +#define core_option__core__option__Option_T__TraitClause_0___is_some(X, _0, \ + _1) \ + ((X)->tag == 1) + +// STRINGS + +typedef const char *Prims_string; + +// UNSAFE CODE + +#define core_slice___Slice_T___as_mut_ptr(x, t, _) (x.ptr) +#define core_mem_size_of(t, _) (sizeof(t)) +#define core_slice_raw_from_raw_parts_mut(ptr, len, _0, _1) \ + (KRML_CLITERAL(Eurydice_slice){(void *)(ptr), len}) +#define core_slice_raw_from_raw_parts(ptr, len, _0, _1) \ + (KRML_CLITERAL(Eurydice_slice){(void *)(ptr), len}) + +// FIXME: add dedicated extraction to extract NonNull as T* +#define core_ptr_non_null_NonNull void * + +// PRINTING +// +// This is temporary. Ultimately we want to be able to extract all of this. + +typedef void *core_fmt_Formatter; +#define core_fmt_rt__core__fmt__rt__Argument__a___new_display(x1, x2, x3, x4) \ + NULL + +// BOXES + +#ifndef EURYDICE_MALLOC +#define EURYDICE_MALLOC malloc +#endif + +#ifndef EURYDICE_REALLOC +#define EURYDICE_REALLOC realloc +#endif + +static inline char *malloc_and_init(size_t sz, char *init) { + char *ptr = (char *)EURYDICE_MALLOC(sz); + if (ptr != NULL) memcpy(ptr, init, sz); + return ptr; +} + +#define Eurydice_box_new(init, t, t_dst) \ + ((t_dst)(malloc_and_init(sizeof(t), (char *)(&init)))) + +#define Eurydice_box_new_array(len, ptr, t, t_dst) \ + ((t_dst)(malloc_and_init(len * sizeof(t), (char *)(ptr)))) + +// FIXME this needs to handle allocation failure errors, but this seems hard to +// do without evaluating malloc_and_init twice... +#define alloc_boxed__alloc__boxed__Box_T___try_new(init, t, t_ret) \ + ((t_ret){.tag = core_result_Ok, \ + .f0 = (t *)malloc_and_init(sizeof(t), (char *)(&init))}) + +// VECTORS + +// We adapt the layout of https://doc.rust-lang.org/std/vec/struct.Vec.html, +// dispensing with the nested RawVec -- basically, we follow what the +// documentation says. Just like Eurydice_slice, we keep sizes in number of +// elements. This means we pass three words by value whenever we carry a vector +// around. Things that modify the vector take &mut's in Rust, or a Eurydice_vec* +// in C. +// +// Another design choice: just like Eurydice_slice, we treat Eurydice_vec as an +// opaque type, and rely on macros receiving their type arguments at call-site +// to perform necessary casts. A downside is that anything that looks into the +// definition of Eurydice_vec must be exposed (from the eurydice point of view) +// as an external -- see, for instance, Eurydice_vec_failed, below. +typedef struct { + char *ptr; + size_t len; /* current length, in elements */ + size_t capacity; /* the size of the allocation, in number of elements */ +} Eurydice_vec, alloc_vec_Vec; + +// This is a helper that Eurydice has special knowledge about. Essentially, +// allocation functions return a result type that has been monomorphized, say, +// Result_XY; this means we need to do something like: +// Eurydice_vec v = try_with_capacity(len, sz); +// Result_XY r = v.ptr == NULL ? (Result_XY) { .tag = core_result_Ok, .case_Ok +// = v } +// : (Result_XY) { .tag = core_result_Error, .case_Error = ... }; +// but with a macro (since we don't have templates). +// However, unless we allow statement-expressions (GCC extension), we cannot do +// the above with an expression, since we need to name the result of +// try_with_capacity to avoid evaluating it twice. +static inline Eurydice_vec Eurydice_vec_alloc2(size_t len, size_t element_sz) { + return ((Eurydice_vec){.ptr = (char *)EURYDICE_MALLOC(len * element_sz), + .len = len, + .capacity = len}); +} + +#define Eurydice_vec_alloc(len, t, _) (Eurydice_vec_alloc2((len), sizeof(t))) +#define Eurydice_vec_overflows(len, t, _) (!((len) <= SIZE_MAX / (sizeof(t)))) +#define Eurydice_vec_failed(v, _, _1) ((v).ptr == NULL) +#define Eurydice_layout(t, _) \ + ((core_alloc_layout_Layout){.size = sizeof(t), .align = _Alignof(t)}) + +#define alloc_vec__alloc__vec__Vec_T___resize( \ + /* Eurydice_vec * */ v, /* size_t */ new_len, /* T */ elt, T, _0, _1) \ + do { \ + if (new_len <= (v)->capacity) \ + (v)->len = new_len; \ + else { \ + (v)->ptr = EURYDICE_REALLOC((v)->ptr, new_len * sizeof(T)); \ + /* TODO: check success? Rust function is infallible */ \ + for (size_t i = (v)->len; i < new_len; i++) ((T *)(v)->ptr)[i] = elt; \ + (v)->len = new_len; \ + (v)->capacity = new_len; \ + } \ + } while (0) + +#define alloc_vec__alloc__vec__Vec_T___into_boxed_slice(/* Eurydice_vec */ v, \ + T, _0, _1) \ + ((Eurydice_slice){.ptr = (v).ptr, .len = (v).len}) + +#define alloc_boxed__alloc__boxed__Box_T___from_raw(x, _0, _1) (x) +#define alloc_boxed__alloc__boxed__Box_T___into_raw(x, _0, _1) (x) diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/header.txt b/libcrux-ml-kem/extracts/cpp_header_only/generated/header.txt index 55b8d4049..b880e3f6c 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/header.txt +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/header.txt @@ -7,6 +7,6 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/intrinsics/libcrux_intrinsics_avx2.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/intrinsics/libcrux_intrinsics_avx2.h index 07394c786..7dce8ac65 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/intrinsics/libcrux_intrinsics_avx2.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/intrinsics/libcrux_intrinsics_avx2.h @@ -81,6 +81,10 @@ typedef __m256i core_core_arch_x86___m256i; #define libcrux_intrinsics_avx2_mm_storeu_si128(a, b) \ (_mm_storeu_si128((__m128i *)a.ptr, b)) +// Arithmetic: Negation + +#define libcrux_intrinsics_avx2_mm256_sign_epi16(a, b) (_mm256_sign_epi16(a, b)) + // Arithmetic: Add, Sub #define libcrux_intrinsics_avx2_mm256_add_epi16(a, b) (_mm256_add_epi16(a, b)) diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_ct_ops.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_ct_ops.h index 5b4fc104d..19c181383 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_ct_ops.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_ct_ops.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_ct_ops_H @@ -62,41 +62,36 @@ libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( */ static KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_select_ct( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { + Eurydice_slice out) { uint8_t mask = core_num__u8__wrapping_sub( libcrux_ml_kem_constant_time_ops_is_non_zero(selector), 1U); - uint8_t out[32U] = {0U}; - for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; - i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; uint8_t outi = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & (uint32_t)mask) | ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & (uint32_t)~mask); - out[i0] = outi; + Eurydice_slice_index(out, i0, uint8_t, uint8_t *) = outi; } - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, - uint8_t ret[32U]) { - libcrux_ml_kem_constant_time_ops_select_ct(lhs, rhs, selector, ret); + Eurydice_slice out) { + libcrux_ml_kem_constant_time_ops_select_ct(lhs, rhs, selector, out); } static KRML_NOINLINE void libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( Eurydice_slice lhs_c, Eurydice_slice rhs_c, Eurydice_slice lhs_s, - Eurydice_slice rhs_s, uint8_t ret[32U]) { + Eurydice_slice rhs_s, Eurydice_slice out) { uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( lhs_c, rhs_c); - uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - lhs_s, rhs_s, selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + lhs_s, rhs_s, selector, out); } #define libcrux_ct_ops_H_DEFINED diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_avx2.h index 8ebb6287d..3e960417b 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_avx2.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem768_avx2_H @@ -24,20 +24,451 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G( - Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha512(output, input); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha256(output, input); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + uint8_t dummy0[192U] = {0U}; + uint8_t dummy1[192U] = {0U}; + switch ((uint8_t)Eurydice_slice_len(input, uint8_t[33U])) { + case 2U: { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( + outputs, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out0 = uu____0.fst; + Eurydice_slice out1 = uu____0.snd; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____3 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____4 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____5 = out0; + Eurydice_slice uu____6 = out1; + Eurydice_slice uu____7 = Eurydice_array_to_subslice_to( + (size_t)192U, dummy0, out_len, uint8_t, size_t, uint8_t[]); + libcrux_sha3_avx2_x4_shake256( + uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, uu____7, + Eurydice_array_to_subslice_to((size_t)192U, dummy1, out_len, uint8_t, + size_t, uint8_t[])); + break; + } + case 3U: { + Eurydice_slice_uint8_t_x2 uu____8 = Eurydice_slice_split_at_mut( + outputs, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out0 = uu____8.fst; + Eurydice_slice rest = uu____8.snd; + Eurydice_slice_uint8_t_x2 uu____9 = Eurydice_slice_split_at_mut( + rest, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out1 = uu____9.fst; + Eurydice_slice out2 = uu____9.snd; + Eurydice_slice uu____10 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____11 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____12 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____13 = Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t); + Eurydice_slice uu____14 = out0; + Eurydice_slice uu____15 = out1; + Eurydice_slice uu____16 = out2; + libcrux_sha3_avx2_x4_shake256( + uu____10, uu____11, uu____12, uu____13, uu____14, uu____15, uu____16, + Eurydice_array_to_subslice_to((size_t)192U, dummy1, out_len, uint8_t, + size_t, uint8_t[])); + break; + } + case 4U: { + Eurydice_slice_uint8_t_x2 uu____17 = Eurydice_slice_split_at_mut( + outputs, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out0 = uu____17.fst; + Eurydice_slice rest0 = uu____17.snd; + Eurydice_slice_uint8_t_x2 uu____18 = Eurydice_slice_split_at_mut( + rest0, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out1 = uu____18.fst; + Eurydice_slice rest = uu____18.snd; + Eurydice_slice_uint8_t_x2 uu____19 = Eurydice_slice_split_at_mut( + rest, out_len, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out2 = uu____19.fst; + Eurydice_slice out3 = uu____19.snd; + libcrux_sha3_avx2_x4_shake256( + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, (size_t)3U, uint8_t[33U], + uint8_t(*)[33U]), + uint8_t), + out0, out1, out2, out3); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_55 state = + libcrux_sha3_avx2_x4_incremental_init(); + switch ((uint8_t)Eurydice_slice_len(input, uint8_t[34U])) { + case 2U: { + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + &state, + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t)); + break; + } + case 3U: { + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + &state, + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t)); + break; + } + case 4U: { + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + &state, + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)0U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)1U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)2U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t), + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, (size_t)3U, uint8_t[34U], + uint8_t(*)[34U]), + uint8_t)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + return state; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks( + libcrux_sha3_generic_keccak_KeccakState_55 *st, Eurydice_slice outputs) { + uint8_t out0[504U] = {0U}; + uint8_t out1[504U] = {0U}; + uint8_t out2[504U] = {0U}; + uint8_t out3[504U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( + st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t), + Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); + switch ((uint8_t)Eurydice_slice_len(outputs, uint8_t[504U])) { + case 2U: { + uint8_t uu____0[504U]; + memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[504U], + uint8_t(*)[504U]), + uu____0, (size_t)504U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[504U]; + memcpy(copy_of_out1, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[504U], + uint8_t(*)[504U]), + copy_of_out1, (size_t)504U * sizeof(uint8_t)); + break; + } + case 3U: { + uint8_t uu____2[504U]; + memcpy(uu____2, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[504U], + uint8_t(*)[504U]), + uu____2, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____3[504U]; + memcpy(uu____3, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[504U], + uint8_t(*)[504U]), + uu____3, (size_t)504U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[504U]; + memcpy(copy_of_out2, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[504U], + uint8_t(*)[504U]), + copy_of_out2, (size_t)504U * sizeof(uint8_t)); + break; + } + case 4U: { + uint8_t uu____5[504U]; + memcpy(uu____5, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[504U], + uint8_t(*)[504U]), + uu____5, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____6[504U]; + memcpy(uu____6, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[504U], + uint8_t(*)[504U]), + uu____6, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____7[504U]; + memcpy(uu____7, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[504U], + uint8_t(*)[504U]), + uu____7, (size_t)504U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[504U]; + memcpy(copy_of_out3, out3, (size_t)504U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)3U, uint8_t[504U], + uint8_t(*)[504U]), + copy_of_out3, (size_t)504U * sizeof(uint8_t)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_55 *st, Eurydice_slice outputs) { + uint8_t out0[168U] = {0U}; + uint8_t out1[168U] = {0U}; + uint8_t out2[168U] = {0U}; + uint8_t out3[168U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( + st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); + switch ((uint8_t)Eurydice_slice_len(outputs, uint8_t[168U])) { + case 2U: { + uint8_t uu____0[168U]; + memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[168U], + uint8_t(*)[168U]), + uu____0, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[168U]; + memcpy(copy_of_out1, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[168U], + uint8_t(*)[168U]), + copy_of_out1, (size_t)168U * sizeof(uint8_t)); + break; + } + case 3U: { + uint8_t uu____2[168U]; + memcpy(uu____2, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[168U], + uint8_t(*)[168U]), + uu____2, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____3[168U]; + memcpy(uu____3, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[168U], + uint8_t(*)[168U]), + uu____3, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[168U]; + memcpy(copy_of_out2, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[168U], + uint8_t(*)[168U]), + copy_of_out2, (size_t)168U * sizeof(uint8_t)); + break; + } + case 4U: { + uint8_t uu____5[168U]; + memcpy(uu____5, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)0U, uint8_t[168U], + uint8_t(*)[168U]), + uu____5, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____6[168U]; + memcpy(uu____6, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)1U, uint8_t[168U], + uint8_t(*)[168U]), + uu____6, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____7[168U]; + memcpy(uu____7, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)2U, uint8_t[168U], + uint8_t(*)[168U]), + uu____7, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[168U]; + memcpy(copy_of_out3, out3, (size_t)168U * sizeof(uint8_t)); + memcpy(Eurydice_slice_index(outputs, (size_t)3U, uint8_t[168U], + uint8_t(*)[168U]), + copy_of_out3, (size_t)168U * sizeof(uint8_t)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_avx2_G(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H_26( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_avx2_H(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_26( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + libcrux_ml_kem_hash_functions_avx2_PRFxN(input, outputs, out_len); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_26( + Eurydice_slice input) { + return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final(input); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_26( + libcrux_sha3_generic_keccak_KeccakState_55 *self, Eurydice_slice outputs) { + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks( + self, outputs); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_26( + libcrux_sha3_generic_keccak_KeccakState_55 *self, Eurydice_slice outputs) { + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block(self, outputs); } KRML_ATTRIBUTE_TARGET("avx2") @@ -55,9 +486,9 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_f5(void) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_vec_from_i16_array(Eurydice_slice array) { - return libcrux_intrinsics_avx2_mm256_loadu_si256_i16(array); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_vec_from_i16_array( + Eurydice_slice array, __m256i *out) { + out[0U] = libcrux_intrinsics_avx2_mm256_loadu_si256_i16(array); } /** @@ -65,15 +496,15 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_from_i16_array_f5(Eurydice_slice array) { - return libcrux_ml_kem_vector_avx2_vec_from_i16_array(array); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_from_i16_array_f5( + Eurydice_slice array, __m256i *out) { + libcrux_ml_kem_vector_avx2_vec_from_i16_array(array, out); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, __m256i rhs) { - return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_add( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_add_epi16(lhs[0U], rhs[0U]); } /** @@ -81,15 +512,15 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_f5(__m256i lhs, - __m256i *rhs) { - return libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs[0U]); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_add_f5(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, __m256i rhs) { - return libcrux_intrinsics_avx2_mm256_sub_epi16(lhs, rhs); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_sub( + __m256i *lhs, __m256i *rhs) { + lhs[0U] = libcrux_intrinsics_avx2_mm256_sub_epi16(lhs[0U], rhs[0U]); } /** @@ -97,17 +528,34 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_f5(__m256i lhs, - __m256i *rhs) { - return libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs[0U]); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_sub_f5(__m256i *lhs, + __m256i *rhs) { + libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_negate( + __m256i *vec) { + vec[0U] = libcrux_intrinsics_avx2_mm256_sign_epi16( + vec[0U], libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)-1)); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::avx2::SIMD256Vector} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_negate_f5(__m256i *vec) { + libcrux_ml_kem_vector_avx2_arithmetic_negate(vec); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i *vector, int16_t constant) { __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); - return libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, cv); + __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi16(vector[0U], cv); + vector[0U] = result; } /** @@ -115,30 +563,51 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_multiply_by_constant_f5(__m256i vec, int16_t c) { - return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_multiply_by_constant_f5( + __m256i *vec, int16_t c) { + libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) { +libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( + __m256i vector, int16_t constant) { + __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); + return libcrux_intrinsics_avx2_mm256_and_si256(vector, cv); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::avx2::SIMD256Vector} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_f5(__m256i *vec, + int16_t c) { + vec[0U] = libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( + vec[0U], c); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i *vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i v_minus_field_modulus = - libcrux_intrinsics_avx2_mm256_sub_epi16(vector, field_modulus); + libcrux_intrinsics_avx2_mm256_sub_epi16(vector[0U], field_modulus); __m256i sign_mask = libcrux_intrinsics_avx2_mm256_srai_epi16( (int32_t)15, v_minus_field_modulus, __m256i); __m256i conditional_add_field_modulus = libcrux_intrinsics_avx2_mm256_and_si256(sign_mask, field_modulus); - return libcrux_intrinsics_avx2_mm256_add_epi16(v_minus_field_modulus, - conditional_add_field_modulus); + __m256i result = libcrux_intrinsics_avx2_mm256_add_epi16( + v_minus_field_modulus, conditional_add_field_modulus); + vector[0U] = result; } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_cond_subtract_3329(__m256i vector) { - return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_cond_subtract_3329( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); } /** @@ -146,9 +615,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(__m256i vector) { - return libcrux_ml_kem_vector_avx2_cond_subtract_3329(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_cond_subtract_3329(vec); } #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \ @@ -159,11 +628,12 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(__m256i vector) { of this code. */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i *vector) { __m256i t0 = libcrux_intrinsics_avx2_mm256_mulhi_epi16( - vector, libcrux_intrinsics_avx2_mm256_set1_epi16( - LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); + vector[0U], + libcrux_intrinsics_avx2_mm256_set1_epi16( + LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); __m256i t512 = libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512); __m256i t1 = libcrux_intrinsics_avx2_mm256_add_epi16(t0, t512); __m256i quotient = @@ -172,8 +642,9 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { libcrux_intrinsics_avx2_mm256_mullo_epi16( quotient, libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); - return libcrux_intrinsics_avx2_mm256_sub_epi16(vector, - quotient_times_field_modulus); + __m256i result = libcrux_intrinsics_avx2_mm256_sub_epi16( + vector[0U], quotient_times_field_modulus); + vector[0U] = result; } /** @@ -181,18 +652,18 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_barrett_reduce_f5(__m256i vector) { - return libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_barrett_reduce_f5( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vec); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( - __m256i vector, int16_t constant) { + __m256i *vector, int16_t constant) { __m256i vec_constant = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); __m256i value_low = - libcrux_intrinsics_avx2_mm256_mullo_epi16(vector, vec_constant); + libcrux_intrinsics_avx2_mm256_mullo_epi16(vector[0U], vec_constant); __m256i k = libcrux_intrinsics_avx2_mm256_mullo_epi16( value_low, libcrux_intrinsics_avx2_mm256_set1_epi16( @@ -203,8 +674,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( __m256i k_times_modulus = libcrux_intrinsics_avx2_mm256_mulhi_epi16(k, modulus); __m256i value_high = - libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector, vec_constant); - return libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); + libcrux_intrinsics_avx2_mm256_mulhi_epi16(vector[0U], vec_constant); + __m256i result = + libcrux_intrinsics_avx2_mm256_sub_epi16(value_high, k_times_modulus); + vector[0U] = result; } /** @@ -212,19 +685,10 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - __m256i vector, int16_t constant) { - return libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( - vector, constant); -} - -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( - __m256i vector, int16_t constant) { - __m256i cv = libcrux_intrinsics_avx2_mm256_set1_epi16(constant); - return libcrux_intrinsics_avx2_mm256_and_si256(vector, cv); +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(__m256i *vec, + int16_t c) { + libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant(vec, c); } /** @@ -244,7 +708,8 @@ libcrux_ml_kem_vector_avx2_arithmetic_to_unsigned_representative(__m256i a) { __m256i t = libcrux_ml_kem_vector_avx2_arithmetic_shift_right_ef(a); __m256i fm = libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_avx2_arithmetic_add(a, fm); + libcrux_ml_kem_vector_avx2_arithmetic_add(&a, &fm); + return a; } /** @@ -252,21 +717,21 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5( - __m256i a) { - return libcrux_ml_kem_vector_avx2_arithmetic_to_unsigned_representative(a); +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5(__m256i vec) { + return libcrux_ml_kem_vector_avx2_arithmetic_to_unsigned_representative(vec); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( - __m256i vector) { + __m256i *vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi16( (LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int16_t)1) / (int16_t)2); __m256i field_modulus_quartered = libcrux_intrinsics_avx2_mm256_set1_epi16( (LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int16_t)1) / (int16_t)4); __m256i shifted = - libcrux_intrinsics_avx2_mm256_sub_epi16(field_modulus_halved, vector); + libcrux_intrinsics_avx2_mm256_sub_epi16(field_modulus_halved, vector[0U]); __m256i mask = libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)15, shifted, __m256i); __m256i shifted_to_positive = @@ -274,15 +739,14 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( __m256i shifted_to_positive_in_range = libcrux_intrinsics_avx2_mm256_sub_epi16(shifted_to_positive, field_modulus_quartered); - return libcrux_intrinsics_avx2_mm256_srli_epi16( + vector[0U] = libcrux_intrinsics_avx2_mm256_srli_epi16( (int32_t)15, shifted_to_positive_in_range, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_1(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( - vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_1( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient(vector); } /** @@ -290,9 +754,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_1_f5(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_1(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_1_f5( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_1(vec); } KRML_ATTRIBUTE_TARGET("avx2") @@ -308,24 +772,6 @@ libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs, libcrux_intrinsics_avx2_mm256_unpackhi_epi32(prod02, prod13)); } -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_decompress_1(__m256i a) { - __m256i z = libcrux_intrinsics_avx2_mm256_setzero_si256(); - __m256i s = libcrux_ml_kem_vector_avx2_arithmetic_sub(z, a); - return libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( - s, (int16_t)1665); -} - -/** -This function found in impl {libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector} -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_decompress_1_f5(__m256i a) { - return libcrux_ml_kem_vector_avx2_compress_decompress_1(a); -} - KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( @@ -346,28 +792,28 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi16( -zeta3, -zeta3, zeta3, zeta3, -zeta2, -zeta2, zeta2, zeta2, -zeta1, -zeta1, zeta1, zeta1, -zeta0, -zeta0, zeta0, zeta0); - __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, - vector, __m256i); + __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)245, vector[0U], __m256i); __m256i rhs0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( rhs, zetas); - __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)160, - vector, __m256i); - return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); + __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)160, vector[0U], __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, + zeta3); } /** @@ -375,33 +821,31 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vector, zeta0, zeta1, - zeta2, zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_ntt_layer_1_step(vec, zeta0, zeta1, zeta2, zeta3); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step( - __m256i vector, int16_t zeta0, int16_t zeta1) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, zeta0, zeta0, zeta0, zeta0); - __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)238, - vector, __m256i); + __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)238, vector[0U], __m256i); __m256i rhs0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( rhs, zetas); - __m256i lhs = - libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)68, vector, __m256i); - return libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); + __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)68, vector[0U], __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step( - __m256i vector, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1); } /** @@ -409,9 +853,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( - __m256i vector, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vector, zeta0, zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_ntt_layer_2_step(vec, zeta0, zeta1); } KRML_ATTRIBUTE_TARGET("avx2") @@ -432,26 +876,26 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { __m128i rhs = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m128i rhs0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( rhs, libcrux_intrinsics_avx2_mm_set1_epi16(zeta)); - __m128i lhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + __m128i lhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_add_epi16(lhs, rhs0); __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_sub_epi16(lhs, rhs0); - __m256i combined = + vector[0U] = libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients); - return libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, combined, upper_coefficients, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, vector[0U], upper_coefficients, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_layer_3_step(__m256i vector, int16_t zeta) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { + libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta); } /** @@ -459,46 +903,43 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5(__m256i vector, int16_t zeta) { - return libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5( + __m256i *vec, int16_t zeta0) { + libcrux_ml_kem_vector_avx2_ntt_layer_3_step(vec, zeta0); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(__m256i vector, - int16_t zeta0, - int16_t zeta1, - int16_t zeta2, - int16_t zeta3) { - __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, - vector, __m256i); - __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)160, - vector, __m256i); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, + int16_t zeta3) { + __m256i lhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)245, vector[0U], __m256i); + __m256i rhs = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)160, vector[0U], __m256i); __m256i rhs0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( rhs, libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1, (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1, (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1, (int16_t)-1, (int16_t)-1, (int16_t)1, (int16_t)1)); - __m256i sum0 = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); + __m256i sum = libcrux_intrinsics_avx2_mm256_add_epi16(lhs, rhs0); __m256i sum_times_zetas = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constants( - sum0, libcrux_intrinsics_avx2_mm256_set_epi16( - zeta3, zeta3, (int16_t)0, (int16_t)0, zeta2, zeta2, - (int16_t)0, (int16_t)0, zeta1, zeta1, (int16_t)0, - (int16_t)0, zeta0, zeta0, (int16_t)0, (int16_t)0)); - __m256i sum = libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(sum0); - return libcrux_intrinsics_avx2_mm256_blend_epi16((int32_t)204, sum, - sum_times_zetas, __m256i); + sum, libcrux_intrinsics_avx2_mm256_set_epi16( + zeta3, zeta3, (int16_t)0, (int16_t)0, zeta2, zeta2, + (int16_t)0, (int16_t)0, zeta1, zeta1, (int16_t)0, (int16_t)0, + zeta0, zeta0, (int16_t)0, (int16_t)0)); + libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(&sum); + vector[0U] = libcrux_intrinsics_avx2_mm256_blend_epi16( + (int32_t)204, sum, sum_times_zetas, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step( - __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step( + __m256i *vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( - vector, zeta0, zeta1, zeta2, zeta3); + libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(vector, zeta0, zeta1, + zeta2, zeta3); } /** @@ -506,24 +947,19 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5(__m256i vector, - int16_t zeta0, int16_t zeta1, - int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vector, zeta0, zeta1, - zeta2, zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step(vec, zeta0, zeta1, zeta2, + zeta3); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, - int16_t zeta0, - int16_t zeta1) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { __m256i lhs = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( - (int32_t)245, vector, __m256i); + (int32_t)245, vector[0U], __m256i); __m256i rhs = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( - (int32_t)160, vector, __m256i); + (int32_t)160, vector[0U], __m256i); __m256i rhs0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( rhs, libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)-1, (int16_t)-1, (int16_t)-1, (int16_t)-1, (int16_t)1, @@ -537,15 +973,14 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, zeta1, zeta1, zeta1, zeta1, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, zeta0, zeta0, zeta0, zeta0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0)); - return libcrux_intrinsics_avx2_mm256_blend_epi16((int32_t)240, sum, - sum_times_zetas, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_blend_epi16( + (int32_t)240, sum, sum_times_zetas, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step( - __m256i vector, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0, - zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step( + __m256i *vector, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0, zeta1); } /** @@ -553,35 +988,32 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5(__m256i vector, - int16_t zeta0, - int16_t zeta1) { - return libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vector, zeta0, zeta1); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5( + __m256i *vec, int16_t zeta0, int16_t zeta1) { + libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step(vec, zeta0, zeta1); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector, - int16_t zeta) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { __m128i lhs = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); - __m128i rhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + (int32_t)1, vector[0U], __m128i); + __m128i rhs = libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_add_epi16(lhs, rhs); __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_sub_epi16(lhs, rhs); __m128i upper_coefficients0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_m128i_by_constants( upper_coefficients, libcrux_intrinsics_avx2_mm_set1_epi16(zeta)); - __m256i combined = + vector[0U] = libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients); - return libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, combined, upper_coefficients0, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, vector[0U], upper_coefficients0, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(__m256i vector, int16_t zeta) { - return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step( + __m256i *vector, int16_t zeta) { + libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta); } /** @@ -589,10 +1021,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5(__m256i vector, - int16_t zeta) { - return libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vector, zeta); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5( + __m256i *vec, int16_t zeta0) { + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step(vec, zeta0); } KRML_ATTRIBUTE_TARGET("avx2") @@ -617,9 +1048,9 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i vec) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( - __m256i lhs, __m256i rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( + __m256i *lhs, __m256i *rhs, __m256i *out, int16_t zeta0, int16_t zeta1, + int16_t zeta2, int16_t zeta3) { __m256i shuffle_with = libcrux_intrinsics_avx2_mm256_set_epi8( (int8_t)15, (int8_t)14, (int8_t)11, (int8_t)10, (int8_t)7, (int8_t)6, (int8_t)3, (int8_t)2, (int8_t)13, (int8_t)12, (int8_t)9, (int8_t)8, @@ -628,7 +1059,7 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( (int8_t)13, (int8_t)12, (int8_t)9, (int8_t)8, (int8_t)5, (int8_t)4, (int8_t)1, (int8_t)0); __m256i lhs_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi8(lhs, shuffle_with); + libcrux_intrinsics_avx2_mm256_shuffle_epi8(lhs[0U], shuffle_with); __m256i lhs_shuffled0 = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( (int32_t)216, lhs_shuffled, __m256i); __m128i lhs_evens = @@ -638,7 +1069,7 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( (int32_t)1, lhs_shuffled0, __m128i); __m256i lhs_odds0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(lhs_odds); __m256i rhs_shuffled = - libcrux_intrinsics_avx2_mm256_shuffle_epi8(rhs, shuffle_with); + libcrux_intrinsics_avx2_mm256_shuffle_epi8(rhs[0U], shuffle_with); __m256i rhs_shuffled0 = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( (int32_t)216, rhs_shuffled, __m256i); __m128i rhs_evens = @@ -663,7 +1094,7 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s( products_left); __m256i rhs_adjacent_swapped = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - rhs, + rhs[0U], libcrux_intrinsics_avx2_mm256_set_epi8( (int8_t)13, (int8_t)12, (int8_t)15, (int8_t)14, (int8_t)9, (int8_t)8, (int8_t)11, (int8_t)10, (int8_t)5, (int8_t)4, (int8_t)7, (int8_t)6, @@ -672,22 +1103,22 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( (int8_t)5, (int8_t)4, (int8_t)7, (int8_t)6, (int8_t)1, (int8_t)0, (int8_t)3, (int8_t)2)); __m256i products_right = - libcrux_intrinsics_avx2_mm256_madd_epi16(lhs, rhs_adjacent_swapped); + libcrux_intrinsics_avx2_mm256_madd_epi16(lhs[0U], rhs_adjacent_swapped); __m256i products_right0 = libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s( products_right); __m256i products_right1 = libcrux_intrinsics_avx2_mm256_slli_epi32( (int32_t)16, products_right0, __m256i); - return libcrux_intrinsics_avx2_mm256_blend_epi16((int32_t)170, products_left0, - products_right1, __m256i); + out[0U] = libcrux_intrinsics_avx2_mm256_blend_epi16( + (int32_t)170, products_left0, products_right1, __m256i); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply( - __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0, - zeta1, zeta2, zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_multiply( + __m256i *lhs, __m256i *rhs, __m256i *out, int16_t zeta0, int16_t zeta1, + int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs, rhs, out, zeta0, zeta1, + zeta2, zeta3); } /** @@ -695,31 +1126,33 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_f5( - __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, - int16_t zeta3) { - return libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, - zeta3); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_ntt_multiply_f5( + __m256i *lhs, __m256i *rhs, __m256i *out, int16_t zeta0, int16_t zeta1, + int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_avx2_ntt_multiply(lhs, rhs, out, zeta0, zeta1, zeta2, + zeta3); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( - __m256i vector, uint8_t ret[2U]) { - __m256i lsb_to_msb = - libcrux_intrinsics_avx2_mm256_slli_epi16((int32_t)15, vector, __m256i); + __m256i *vector, Eurydice_slice out) { + __m256i lsb_to_msb = libcrux_intrinsics_avx2_mm256_slli_epi16( + (int32_t)15, vector[0U], __m256i); __m128i low_msbs = libcrux_intrinsics_avx2_mm256_castsi256_si128(lsb_to_msb); __m128i high_msbs = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, lsb_to_msb, __m128i); __m128i msbs = libcrux_intrinsics_avx2_mm_packs_epi16(low_msbs, high_msbs); int32_t bits_packed = libcrux_intrinsics_avx2_mm_movemask_epi8(msbs); - uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)}; - memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = + (uint8_t)bits_packed; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = + (uint8_t)(bits_packed >> 8U); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1( - __m256i vector, uint8_t ret[2U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, out); } /** @@ -728,8 +1161,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_f5( - __m256i vector, uint8_t ret[2U]) { - libcrux_ml_kem_vector_avx2_serialize_1(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_1(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -759,17 +1192,18 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( - Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_1( + Eurydice_slice bytes, __m256i *out) { + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_1(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_1( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes, out); } /** @@ -777,9 +1211,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_1_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_1(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_1_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_1(input, out); } /** @@ -801,10 +1235,10 @@ libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( - __m256i vector, uint8_t ret[8U]) { + __m256i *vector, Eurydice_slice out) { uint8_t serialized[16U] = {0U}; __m256i adjacent_2_combined = - libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector); + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector[0U]); __m256i adjacent_8_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi8( @@ -821,20 +1255,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( __m128i combined0 = libcrux_intrinsics_avx2_mm256_castsi256_si128(combined); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), combined0); - uint8_t ret0[8U]; - Result_15 dst; - Eurydice_slice_to_array2(&dst, - Eurydice_array_to_subslice3(serialized, (size_t)0U, - (size_t)8U, uint8_t *), - Eurydice_slice, uint8_t[8U], TryFromSliceError); - unwrap_26_68(dst, ret0); - memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); + Eurydice_slice_copy(out, + Eurydice_array_to_subslice3(serialized, (size_t)0U, + (size_t)8U, uint8_t *), + uint8_t); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4( - __m256i vector, uint8_t ret[8U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, out); } /** @@ -843,8 +1273,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_f5( - __m256i vector, uint8_t ret[8U]) { - libcrux_ml_kem_vector_avx2_serialize_4(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_4(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -880,23 +1310,24 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( - Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_4( + Eurydice_slice bytes, __m256i *out) { + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_4(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_4( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes, out); } /** @@ -904,9 +1335,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_4_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_4(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_4_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_4(input, out); } /** @@ -963,10 +1394,10 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( - __m256i vector, uint8_t ret[20U]) { + __m256i *vector, Eurydice_slice out) { core_core_arch_x86___m128i_x2 uu____0 = libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( - vector); + vector[0U]); __m128i lower_8 = uu____0.fst; __m128i upper_8 = uu____0.snd; uint8_t serialized[32U] = {0U}; @@ -978,20 +1409,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( Eurydice_array_to_subslice3(serialized, (size_t)10U, (size_t)26U, uint8_t *), upper_8); - uint8_t ret0[20U]; - Result_e1 dst; - Eurydice_slice_to_array2(&dst, - Eurydice_array_to_subslice3(serialized, (size_t)0U, - (size_t)20U, uint8_t *), - Eurydice_slice, uint8_t[20U], TryFromSliceError); - unwrap_26_20(dst, ret0); - memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t)); + Eurydice_slice_copy(out, + Eurydice_array_to_subslice3(serialized, (size_t)0U, + (size_t)20U, uint8_t *), + uint8_t); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10( - __m256i vector, uint8_t ret[20U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, out); } /** @@ -1000,8 +1427,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_f5( - __m256i vector, uint8_t ret[20U]) { - libcrux_ml_kem_vector_avx2_serialize_10(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_10(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1039,21 +1466,22 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_10( + Eurydice_slice bytes, __m256i *out) { Eurydice_slice lower_coefficients = Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)16U, uint8_t *); Eurydice_slice upper_coefficients = Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)20U, uint8_t *); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( - libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients), - libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients)); + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients), + libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_10(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_10( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes, out); } /** @@ -1061,9 +1489,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_10_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_10(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_10_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_10(input, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1096,11 +1524,11 @@ libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( - __m256i vector, uint8_t ret[24U]) { + __m256i *vector, Eurydice_slice out) { uint8_t serialized[32U] = {0U}; core_core_arch_x86___m128i_x2 uu____0 = libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( - vector); + vector[0U]); __m128i lower_8 = uu____0.fst; __m128i upper_8 = uu____0.snd; libcrux_intrinsics_avx2_mm_storeu_bytes_si128( @@ -1111,20 +1539,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( Eurydice_array_to_subslice3(serialized, (size_t)12U, (size_t)28U, uint8_t *), upper_8); - uint8_t ret0[24U]; - Result_b2 dst; - Eurydice_slice_to_array2(&dst, - Eurydice_array_to_subslice3(serialized, (size_t)0U, - (size_t)24U, uint8_t *), - Eurydice_slice, uint8_t[24U], TryFromSliceError); - unwrap_26_70(dst, ret0); - memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t)); + Eurydice_slice_copy(out, + Eurydice_array_to_subslice3(serialized, (size_t)0U, + (size_t)24U, uint8_t *), + uint8_t); } KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12( - __m256i vector, uint8_t ret[24U]) { - libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret); + __m256i *vector, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, out); } /** @@ -1133,8 +1557,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_f5( - __m256i vector, uint8_t ret[24U]) { - libcrux_ml_kem_vector_avx2_serialize_12(vector, ret); + __m256i *vec, Eurydice_slice out) { + libcrux_ml_kem_vector_avx2_serialize_12(vec, out); } KRML_ATTRIBUTE_TARGET("avx2") @@ -1172,20 +1596,21 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_deserialize_12( + Eurydice_slice bytes, __m256i *out) { __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)16U, uint8_t *)); __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( Eurydice_slice_subslice3(bytes, (size_t)8U, (size_t)24U, uint8_t *)); - return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( - lower_coefficients, upper_coefficients); + out[0U] = + libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + lower_coefficients, upper_coefficients); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_12(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_12( + Eurydice_slice bytes, __m256i *out) { + libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes, out); } /** @@ -1193,9 +1618,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_12_f5(Eurydice_slice bytes) { - return libcrux_ml_kem_vector_avx2_deserialize_12(bytes); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_deserialize_12_f5( + Eurydice_slice input, __m256i *out) { + libcrux_ml_kem_vector_avx2_deserialize_12(input, out); } static const uint8_t @@ -1720,13 +2145,16 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i potential_coefficients = - libcrux_ml_kem_vector_avx2_serialize_deserialize_12(input); + libcrux_intrinsics_avx2_mm256_setzero_si256(); + libcrux_ml_kem_vector_avx2_serialize_deserialize_12(input, + &potential_coefficients); __m256i compare_with_field_modulus = libcrux_intrinsics_avx2_mm256_cmpgt_epi16(field_modulus, potential_coefficients); - uint8_t good[2U]; - libcrux_ml_kem_vector_avx2_serialize_serialize_1(compare_with_field_modulus, - good); + uint8_t good[2U] = {0U}; + libcrux_ml_kem_vector_avx2_serialize_serialize_1( + &compare_with_field_modulus, + Eurydice_array_to_slice((size_t)2U, good, uint8_t)); uint8_t lower_shuffles[16U]; memcpy(lower_shuffles, libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE[( @@ -1765,8 +2193,8 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_f5( - Eurydice_slice input, Eurydice_slice output) { - return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, output); + Eurydice_slice input, Eurydice_slice out) { + return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, out); } /** @@ -1778,16 +2206,6 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_f6_s { __m256i coefficients[16U]; } libcrux_ml_kem_polynomial_PolynomialRingElement_f6; -/** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics -- $3size_t -*/ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63; - /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1801,7 +2219,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ZERO_d6_84(void) { +libcrux_ml_kem_polynomial_ZERO_d6_06(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; __m256i repeat_expression[16U]; for (size_t i = (size_t)0U; i < (size_t)16U; i++) { @@ -1811,6 +2229,16 @@ libcrux_ml_kem_polynomial_ZERO_d6_84(void) { return lit; } +/** +A monomorphic instance of +libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +- $3size_t +*/ +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63_s { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63; + /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1831,7 +2259,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_2f(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -1841,20 +2269,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes); + libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes, &re->coefficients[i0]); } - return re; } /** @@ -1868,42 +2294,43 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_vector_ab( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt) { + Eurydice_slice secret_key, Eurydice_slice secret_as_ntt) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_84( - Eurydice_slice_subslice3( - secret_key, - i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *)); - secret_as_ntt[i0] = uu____0; + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_06( + Eurydice_slice_subslice3( + secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *), + &Eurydice_slice_index( + secret_as_ntt, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for -libcrux_ml_kem::ind_cpa::deserialize_then_decompress_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@1]> for libcrux_ml_kem::ind_cpa::decrypt_unpacked::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.call_mut_35 with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked.call_mut_68 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 +- VECTOR_U_ENCODED_SIZE= 960 - U_COMPRESSION_FACTOR= 10 +- V_COMPRESSION_FACTOR= 4 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_ed( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); +libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_2f(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -1913,15 +2340,15 @@ generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( - __m256i vector) { + __m256i *vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)1 << (uint32_t)(int32_t)10); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i decompressed_low = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -1935,7 +2362,7 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( __m256i decompressed_low3 = libcrux_intrinsics_avx2_mm256_srli_epi32( (int32_t)1, decompressed_low2, __m256i); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i decompressed_high = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -1950,8 +2377,8 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( (int32_t)1, decompressed_high2, __m256i); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( decompressed_low3, decompressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -1965,11 +2392,10 @@ generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_ef( - __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( - vector); + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef(vec); } /** @@ -1979,23 +2405,20 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_10_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_10_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t *); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_f5(bytes); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_ef( - coefficient); + libcrux_ml_kem_vector_avx2_deserialize_10_f5(bytes, &re->coefficients[i0]); + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_ef( + &re->coefficients[i0]); } - return re; } /** @@ -2005,16 +2428,26 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_84(serialized); + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_10_06(serialized, + output); } -typedef struct libcrux_ml_kem_vector_avx2_SIMD256Vector_x2_s { - __m256i fst; - __m256i snd; -} libcrux_ml_kem_vector_avx2_SIMD256Vector_x2; +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.montgomery_multiply_fe +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_traits_montgomery_multiply_fe_06(__m256i *v, + int16_t fer) { + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(v, fer); +} /** A monomorphic instance of libcrux_ml_kem.ntt.ntt_layer_int_vec_step @@ -2023,14 +2456,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -libcrux_ml_kem_ntt_ntt_layer_int_vec_step_84(__m256i a, __m256i b, - int16_t zeta_r) { - __m256i t = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(b, zeta_r); - b = libcrux_ml_kem_vector_avx2_sub_f5(a, &t); - a = libcrux_ml_kem_vector_avx2_add_f5(a, &t); - return (libcrux_ml_kem_vector_avx2_SIMD256Vector_x2{a, b}); +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_layer_int_vec_step_06( + __m256i *coefficients, size_t a, size_t b, __m256i *scratch, + int16_t zeta_r) { + scratch[0U] = coefficients[b]; + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_06(scratch, zeta_r); + coefficients[b] = coefficients[a]; + libcrux_ml_kem_vector_avx2_add_f5(&coefficients[a], scratch); + libcrux_ml_kem_vector_avx2_sub_f5(&coefficients[b], scratch); } /** @@ -2040,26 +2473,21 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, - size_t layer, size_t _initial_coefficient_bound) { + size_t layer, __m256i *scratch, size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = step / (size_t)16U; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = offset / (size_t)16U; - size_t step_vec = step / (size_t)16U; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_84( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - __m256i x = uu____0.fst; - __m256i y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_ntt_ntt_layer_int_vec_step_06( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -2071,14 +2499,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); + libcrux_ml_kem_vector_avx2_ntt_layer_3_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -2089,14 +2517,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_vector_avx2_ntt_layer_2_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U)); zeta_i[0U] = zeta_i[0U] + (size_t)1U; } @@ -2109,14 +2537,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_84( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_vector_avx2_ntt_layer_1_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U), libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U)); @@ -2131,13 +2559,12 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - myself->coefficients[i0] = - libcrux_ml_kem_vector_avx2_barrett_reduce_f5(myself->coefficients[i0]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&myself->coefficients[i0]); } } @@ -2153,9 +2580,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { - libcrux_ml_kem_polynomial_poly_barrett_reduce_84(self); + libcrux_ml_kem_polynomial_poly_barrett_reduce_06(self); } /** @@ -2166,20 +2593,20 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_ee( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch) { size_t zeta_i = (size_t)0U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)7U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)7U, scratch, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)6U, scratch, (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)5U, scratch, (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)4U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)4U, scratch, (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_84(&zeta_i, re, (size_t)5U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_84(&zeta_i, re, (size_t)6U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_84(&zeta_i, re, (size_t)7U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84(re); + libcrux_ml_kem_ntt_ntt_at_layer_3_06(&zeta_i, re, (size_t)5U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_06(&zeta_i, re, (size_t)6U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_06(&zeta_i, re, (size_t)7U * (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06(re); } /** @@ -2196,17 +2623,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - u_as_ntt[i] = - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_ed( - &lvalue, i); - } +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed(uint8_t *ciphertext, + Eurydice_slice u_as_ntt, + __m256i *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -2224,14 +2643,17 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, uint8_t *); - u_as_ntt[i0] = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( - u_bytes); - libcrux_ml_kem_ntt_ntt_vector_u_ee(&u_as_ntt[i0]); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( + u_bytes, + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); + libcrux_ml_kem_ntt_ntt_vector_u_ee( + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); } - memcpy( - ret, u_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** @@ -2241,15 +2663,15 @@ generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( - __m256i vector) { + __m256i *vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)1 << (uint32_t)(int32_t)4); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i decompressed_low = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -2263,7 +2685,7 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( __m256i decompressed_low3 = libcrux_intrinsics_avx2_mm256_srli_epi32( (int32_t)1, decompressed_low2, __m256i); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i decompressed_high = libcrux_intrinsics_avx2_mm256_mullo_epi32( @@ -2278,8 +2700,8 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( (int32_t)1, decompressed_high2, __m256i); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( decompressed_low3, decompressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -2293,11 +2715,10 @@ generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_d1( - __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( - vector); + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1(vec); } /** @@ -2307,22 +2728,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_4_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_4_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t *); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_f5(bytes); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_d1( - coefficient); + libcrux_ml_kem_vector_avx2_deserialize_4_f5(bytes, &re->coefficients[i0]); + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_f5_d1( + &re->coefficients[i0]); } - return re; } /** @@ -2333,28 +2751,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_84(serialized); -} - -/** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO -with types libcrux_ml_kem_vector_avx2_SIMD256Vector -with const generics - -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ZERO_84(void) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; - __m256i repeat_expression[16U]; - for (size_t i = (size_t)0U; i < (size_t)16U; i++) { - repeat_expression[i] = libcrux_ml_kem_vector_avx2_ZERO_f5(); - } - memcpy(lit.coefficients, repeat_expression, (size_t)16U * sizeof(__m256i)); - return lit; + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_4_06(serialized, output); } /** @@ -2391,17 +2792,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ntt_multiply_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = - libcrux_ml_kem_polynomial_ZERO_84(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *out) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_f5( + libcrux_ml_kem_vector_avx2_ntt_multiply_f5( &myself->coefficients[i0], &rhs->coefficients[i0], + &out->coefficients[i0], libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0), libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + (size_t)1U), @@ -2410,7 +2810,6 @@ libcrux_ml_kem_polynomial_ntt_multiply_84( libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + (size_t)3U)); } - return out; } /** @@ -2425,11 +2824,11 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ntt_multiply_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { - return libcrux_ml_kem_polynomial_ntt_multiply_84(self, rhs); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *out) { + libcrux_ml_kem_polynomial_ntt_multiply_06(self, rhs, out); } /** @@ -2452,8 +2851,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_ab( __m256i); i++) { size_t i0 = i; - myself->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_f5( - myself->coefficients[i0], &rhs->coefficients[i0]); + libcrux_ml_kem_vector_avx2_add_f5(&myself->coefficients[i0], + &rhs->coefficients[i0]); } } @@ -2482,17 +2881,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_84( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -2504,15 +2902,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_84( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -2524,15 +2921,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_84( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5( - re->coefficients[round], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_f5( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -2543,16 +2938,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_84(__m256i a, - __m256i b, - int16_t zeta_r) { - __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_f5(b, &a); - a = libcrux_ml_kem_vector_avx2_barrett_reduce_f5( - libcrux_ml_kem_vector_avx2_add_f5(a, &b)); - b = libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5(a_minus_b, - zeta_r); - return (libcrux_ml_kem_vector_avx2_SIMD256Vector_x2{a, b}); +static KRML_MUSTINLINE void +libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_06( + __m256i *coefficients, size_t a, size_t b, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch, + int16_t zeta_r) { + scratch->coefficients[0U] = coefficients[a]; + scratch->coefficients[1U] = coefficients[b]; + libcrux_ml_kem_vector_avx2_add_f5(&coefficients[a], + &scratch->coefficients[1U]); + libcrux_ml_kem_vector_avx2_sub_f5(&coefficients[b], scratch->coefficients); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&coefficients[a]); + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_06(&coefficients[b], + zeta_r); } /** @@ -2563,28 +2961,22 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, - size_t layer) { + size_t layer, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = + step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = - offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - size_t step_vec = - step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_84( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - __m256i x = uu____0.fst; - __m256i y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_06( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -2597,21 +2989,22 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_84(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_84(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_84(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)4U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)5U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)6U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_84(&zeta_i, re, - (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84(re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_06(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_06(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_06(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)4U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)5U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)6U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_06(&zeta_i, re, + (size_t)7U, scratch); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06(re); } /** @@ -2621,22 +3014,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_subtract_reduce_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - b.coefficients[i0], (int16_t)1441); - __m256i diff = libcrux_ml_kem_vector_avx2_sub_f5(myself->coefficients[i0], - &coefficient_normal_form); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(diff); - b.coefficients[i0] = red; + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( + &b->coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_avx2_sub_f5(&b->coefficients[i0], + &myself->coefficients[i0]); + libcrux_ml_kem_vector_avx2_negate_f5(&b->coefficients[i0]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&b->coefficients[i0]); } - return b; } /** @@ -2651,17 +3041,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_subtract_reduce_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { - return libcrux_ml_kem_polynomial_subtract_reduce_84(self, b); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *b) { + libcrux_ml_kem_polynomial_subtract_reduce_06(self, b); } /** - The following functions compute various expressions involving - vectors and matrices. The computation of these expressions has been - abstracted away into these functions in order to save on loop iterations. Compute v − InverseNTT(sᵀ ◦ NTT(u)) */ /** @@ -2671,22 +3057,20 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_matrix_compute_message_ab( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_message_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_84(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(&secret_as_ntt[i0], - &u_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06(&secret_as_ntt[i0], + &u_as_ntt[i0], scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - return libcrux_ml_kem_polynomial_subtract_reduce_d6_84(v, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(result, scratch); + libcrux_ml_kem_polynomial_subtract_reduce_d6_06(v, result); } /** @@ -2696,9 +3080,12 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_serialize_to_unsigned_field_modulus_84(__m256i a) { - return libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5(a); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(__m256i *a, + __m256i *out) { + __m256i uu____0 = + libcrux_ml_kem_vector_avx2_to_unsigned_representative_f5(a[0U]); + out[0U] = uu____0; } /** @@ -2709,23 +3096,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, uint8_t ret[32U]) { - uint8_t serialized[32U] = {0U}; +libcrux_ml_kem_serialize_compress_then_serialize_message_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + Eurydice_slice serialized, __m256i *scratch) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re.coefficients[i0]); - __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_compress_1_f5(coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector_avx2_serialize_1_f5(coefficient_compressed, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, uint8_t *), - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_compress_1_f5(scratch); + libcrux_ml_kem_vector_avx2_serialize_1_f5( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *)); } - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } /** @@ -2765,20 +3148,33 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *secret_key, - uint8_t *ciphertext, uint8_t ret[32U]) { + uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed(ciphertext, u_as_ntt); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u_as_ntt[i] = + libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_2f(&lvalue, i); + } + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( + ciphertext, + Eurydice_array_to_slice( + (size_t)3U, u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed( - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - uint8_t[])); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_ed( + Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, + uint8_t, size_t, uint8_t[]), + &v); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message = - libcrux_ml_kem_matrix_compute_message_ab(&v, secret_key->secret_as_ntt, - u_as_ntt); - uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_84(message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_matrix_compute_message_ab(&v, secret_key->secret_as_ntt, + u_as_ntt, &message, scratch); + libcrux_ml_kem_serialize_compress_then_serialize_message_06( + &message, decrypted, scratch->coefficients); } /** @@ -2793,69 +3189,94 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_2f( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { + Eurydice_slice secret_key, uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 secret_key_unpacked; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret0[3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_2f(&lvalue, i); + ret[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_2f(&lvalue, i); } memcpy( - secret_key_unpacked.secret_as_ntt, ret0, + secret_key_unpacked.secret_as_ntt, ret, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); libcrux_ml_kem_ind_cpa_deserialize_vector_ab( - secret_key, secret_key_unpacked.secret_as_ntt); - uint8_t ret1[32U]; + secret_key, Eurydice_array_to_slice( + (size_t)3U, secret_key_unpacked.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f(&secret_key_unpacked, ciphertext, - ret1); - memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); + decrypted, scratch); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.G_41 +A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF with const generics -- K= 3 +- LEN= 32 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_slice input, uint8_t ret[64U]) { - libcrux_ml_kem_hash_functions_avx2_G(input, ret); +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +*/ +/** +A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_26 with const generics - LEN= 32 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_9e( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_26_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_avx2_PRF_9e(input, out); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_41 +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate.call_mut_5f +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 -- LEN= 32 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_41_41( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_avx2_PRF_9e(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_57(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -2863,50 +3284,46 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.IndCpaPublicKeyUnpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63_s { +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0_s { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 t_as_ntt[3U]; uint8_t seed_for_A[32U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[9U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0; /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_8b +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_50 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(void) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_84(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_06(); } uint8_t uu____1[32U] = {0U}; - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression0[3U][3U]; - for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_84(); - } - memcpy(repeat_expression0[i0], repeat_expression, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_06(); } - memcpy(lit.A, repeat_expression0, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + memcpy( + lit.A, repeat_expression, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); return lit; } @@ -2923,26 +3340,26 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_84( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_06( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(coefficient); + libcrux_ml_kem_vector_avx2_deserialize_12_f5(bytes, &re->coefficients[i0]); + libcrux_ml_kem_vector_avx2_cond_subtract_3329_f5(&re->coefficients[i0]); } - return re; } /** - See [deserialize_ring_elements_reduced_out]. + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. */ /** A monomorphic instance of @@ -2953,8 +3370,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *deserialized_pk) { + Eurydice_slice public_key, Eurydice_slice deserialized_pk) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2965,101 +3381,15 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t *); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_84( - ring_element); - deserialized_pk[i0] = uu____0; + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_06( + ring_element, + &Eurydice_slice_index( + deserialized_pk, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 -libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0( - uint8_t (*input)[34U]) { - libcrux_sha3_generic_keccak_KeccakState_55 state = - libcrux_sha3_avx2_x4_incremental_init(); - libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - &state, Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t), - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t), - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t)); - return state; -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_init_absorb_final_41 with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 -libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_41_e0( - uint8_t (*input)[34U]) { - return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_e0( - input); -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks with -const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *st, uint8_t ret[3U][504U]) { - uint8_t out[3U][504U] = {{0U}}; - uint8_t out0[504U] = {0U}; - uint8_t out1[504U] = {0U}; - uint8_t out2[504U] = {0U}; - uint8_t out3[504U] = {0U}; - libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), - Eurydice_array_to_slice((size_t)504U, out1, uint8_t), - Eurydice_array_to_slice((size_t)504U, out2, uint8_t), - Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); - uint8_t uu____0[504U]; - memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____1[504U]; - memcpy(uu____1, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____1, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____2[504U]; - memcpy(uu____2, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____2, (size_t)504U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_first_three_blocks_41 with -const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_41_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *self, uint8_t ret[3U][504U]) { - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_e0( - self, ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -3111,32 +3441,41 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( - uint8_t (*randomness)[504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[504U], uint8_t(*)[504U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_f5( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -3145,55 +3484,6 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( return done; } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *st, uint8_t ret[3U][168U]) { - uint8_t out[3U][168U] = {{0U}}; - uint8_t out0[168U] = {0U}; - uint8_t out1[168U] = {0U}; - uint8_t out2[168U] = {0U}; - uint8_t out3[168U] = {0U}; - libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), - Eurydice_array_to_slice((size_t)168U, out1, uint8_t), - Eurydice_array_to_slice((size_t)168U, out2, uint8_t), - Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); - uint8_t uu____0[168U]; - memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____1[168U]; - memcpy(uu____1, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____1, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____2[168U]; - memcpy(uu____2, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____2, (size_t)168U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.avx2.shake128_squeeze_next_block_41 with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_41_e0( - libcrux_sha3_generic_keccak_KeccakState_55 *self, uint8_t ret[3U][168U]) { - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_e0(self, ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -3245,32 +3535,41 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( - uint8_t (*randomness)[168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[168U], uint8_t(*)[168U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_f5( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -3279,6 +3578,41 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( return done; } +/** +A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_sha3_generic_keccak_KeccakState_55 xof_state = + libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_26(seeds); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_26( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); + bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); + while (true) { + if (done) { + break; + } else { + libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_26( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); + done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); + } + } +} + /** A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3286,18 +3620,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_from_i16_array_84(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_84(); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_06( + Eurydice_slice a, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - result.coefficients[i0] = - libcrux_ml_kem_vector_avx2_from_i16_array_f5(Eurydice_slice_subslice3( - a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t *)); + libcrux_ml_kem_vector_avx2_from_i16_array_f5( + Eurydice_slice_subslice3(a, i0 * (size_t)16U, + (i0 + (size_t)1U) * (size_t)16U, int16_t *), + &result->coefficients[i0]); } - return result; } /** @@ -3312,77 +3645,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_from_i16_array_d6_84(Eurydice_slice a) { - return libcrux_ml_kem_polynomial_from_i16_array_84(a); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_6c( - void **_, int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return libcrux_ml_kem_polynomial_from_i16_array_d6_84( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); -} - -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_6c( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - libcrux_sha3_generic_keccak_KeccakState_55 xof_state = - libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_41_e0( - seeds); - uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_41_e0( - &xof_state, randomness0); - bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( - randomness0, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_41_e0( - &xof_state, randomness); - done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( - randomness, sampled_coefficients, out); - } - } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret0[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_6c( - &lvalue, copy_of_out[i]); - } - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_slice a, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *out) { + libcrux_ml_kem_polynomial_from_i16_array_06(a, out); } /** @@ -3393,35 +3658,51 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_6c( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*A_transpose)[3U], - uint8_t *seed, bool transpose) { + Eurydice_slice A_transpose, uint8_t *seed, bool transpose) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_6c(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; + int16_t out[3U][272U] = {{0U}}; + libcrux_ml_kem_sampling_sample_from_xof_6c( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____1, &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____2, &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } } @@ -3432,137 +3713,31 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa( +libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_b4( Eurydice_slice public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - uu____0, unpacked_public_key->t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); libcrux_ml_kem_matrix_sample_matrix_A_6c(uu____1, ret, false); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -- T_AS_NTT_ENCODED_SIZE= 1152 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_fa( - Eurydice_slice public_key) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 - unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fa(public_key, - &unpacked_public_key); - return unpacked_public_key; -} - -/** -A monomorphic instance of K. -with types libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_avx2_SIMD256Vector[3size_t], -libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_avx2_SIMD256Vector - -*/ -typedef struct tuple_ed0_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 fst[3U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 snd; -} tuple_ed0; - -/** -This function found in impl {core::ops::function::FnMut<(usize), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_f1 -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics -- K= 3 -- C1_LEN= 960 -- U_COMPRESSION_FACTOR= 10 -- BLOCK_LEN= 320 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 -- ETA2= 2 -- ETA2_RANDOMNESS_SIZE= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_48(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRFxN -with const generics -- K= 3 -- LEN= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - uint8_t out[3U][128U] = {{0U}}; - uint8_t out0[128U] = {0U}; - uint8_t out1[128U] = {0U}; - uint8_t out2[128U] = {0U}; - uint8_t out3[128U] = {0U}; - libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), - Eurydice_array_to_slice((size_t)128U, out0, uint8_t), - Eurydice_array_to_slice((size_t)128U, out1, uint8_t), - Eurydice_array_to_slice((size_t)128U, out2, uint8_t), - Eurydice_array_to_slice((size_t)128U, out3, uint8_t)); - uint8_t uu____0[128U]; - memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____1[128U]; - memcpy(uu____1, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____1, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____2[128U]; - memcpy(uu____2, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____2, (size_t)128U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRFxN_41 -with const generics -- K= 3 -- LEN= 128 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_41_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - libcrux_ml_kem_hash_functions_avx2_PRFxN_41(input, ret); -} - /** Given a series of uniformly random bytes in `randomness`, for some number `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring @@ -3619,10 +3794,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_84( - Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; +static KRML_MUSTINLINE void +libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_06( + Eurydice_slice randomness, Eurydice_slice sampled_i16s) { for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; @@ -3652,11 +3826,10 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_84( int16_t outcome_2 = (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); size_t offset = (size_t)(outcome_set0 >> 2U); - sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; + Eurydice_slice_index(sampled_i16s, (size_t)8U * chunk_number + offset, + int16_t, int16_t *) = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_d6_84( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3666,11 +3839,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - ETA= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_slice randomness) { - return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_84( - randomness); + Eurydice_slice randomness, int16_t *output) { + libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_06( + randomness, Eurydice_array_to_slice((size_t)256U, output, int16_t)); } /** @@ -3680,17 +3853,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; i < step; i++) { size_t j = i; - __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_f5( - re->coefficients[j + step], (int16_t)-1600); - re->coefficients[j + step] = - libcrux_ml_kem_vector_avx2_sub_f5(re->coefficients[j], &t); - re->coefficients[j] = - libcrux_ml_kem_vector_avx2_add_f5(re->coefficients[j], &t); + scratch[0U] = re->coefficients[j + step]; + libcrux_ml_kem_vector_avx2_multiply_by_constant_f5(scratch, (int16_t)-1600); + re->coefficients[j + step] = re->coefficients[j]; + libcrux_ml_kem_vector_avx2_add_f5(&re->coefficients[j], scratch); + libcrux_ml_kem_vector_avx2_sub_f5(&re->coefficients[j + step], scratch); } } @@ -3702,23 +3874,24 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { - libcrux_ml_kem_ntt_ntt_at_layer_7_84(re); +libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch) { + libcrux_ml_kem_ntt_ntt_at_layer_7_06(re, scratch); size_t zeta_i = (size_t)1U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)6U, scratch, (size_t)11207U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06(&zeta_i, re, (size_t)5U, scratch, (size_t)11207U + (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_84( - &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_84( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_06( + &zeta_i, re, (size_t)4U, scratch, + (size_t)11207U + (size_t)2U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_3_06( &zeta_i, re, (size_t)11207U + (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_84( + libcrux_ml_kem_ntt_ntt_at_layer_2_06( &zeta_i, re, (size_t)11207U + (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_84( + libcrux_ml_kem_ntt_ntt_at_layer_1_06( &zeta_i, re, (size_t)11207U + (size_t)5U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_84(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_06(re); } /** @@ -3732,27 +3905,46 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 - ETA= 2 - ETA_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re_as_ntt, - uint8_t *prf_input, uint8_t domain_separator) { +libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb(Eurydice_slice re_as_ntt, + uint8_t *prf_input, + uint8_t domain_separator, + __m256i *scratch) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_avx2_PRFxN_41_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRFxN_26( + Eurydice_array_to_slice((size_t)3U, prf_inputs, uint8_t[33U]), + Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - re_as_ntt[i0] = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_84(&re_as_ntt[i0]); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + int16_t sample_buffer[256U] = {0U}; + libcrux_ml_kem_sampling_sample_from_binomial_distribution_89(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_06( + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); } return domain_separator; } @@ -3760,16 +3952,17 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_77 with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -3777,11 +3970,13 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_48(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_a1(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -3794,27 +3989,41 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 - ETA2_RANDOMNESS_SIZE= 128 - ETA2= 2 +- PRF_OUTPUT_SIZE= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4( - uint8_t *prf_input, uint8_t domain_separator, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_1) { +libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_cb(uint8_t *prf_input, + uint8_t domain_separator, + Eurydice_slice error_1, + int16_t *sample_buffer) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_avx2_PRFxN_41_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + Eurydice_slice uu____1 = core_array___Array_T__N___as_slice( + (size_t)3U, prf_inputs, uint8_t[33U], Eurydice_slice); + libcrux_ml_kem_hash_functions_avx2_PRFxN_26( + uu____1, Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - error_1[i0] = uu____0; + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_89(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + error_1, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } return domain_separator; } @@ -3826,46 +4035,68 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_a6( - Eurydice_slice input, uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for +This function found in impl {libcrux_ml_kem::hash_functions::Hash for libcrux_ml_kem::hash_functions::avx2::Simd256Hash} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_41 +A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.PRF_26 with const generics -- K= 3 - LEN= 128 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_41_410( - Eurydice_slice input, uint8_t ret[128U]) { - libcrux_ml_kem_hash_functions_avx2_PRF_a6(input, ret); +static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_26_a6( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_avx2_PRF_a6(input, out); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for libcrux_ml_kem::matrix::compute_vector_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.call_mut_a8 +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_88 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +- K_SQUARED= 9 +- C1_LEN= 960 +- U_COMPRESSION_FACTOR= 10 +- BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_a1(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); +} + +/** +A monomorphic instance of libcrux_ml_kem.matrix.entry with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_ab(void **_, - size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 * +libcrux_ml_kem_matrix_entry_ab(Eurydice_slice matrix, size_t i, size_t j) { + return &Eurydice_slice_index( + matrix, i * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *); } /** @@ -3875,19 +4106,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - myself->coefficients[j], (int16_t)1441); - __m256i sum = libcrux_ml_kem_vector_avx2_add_f5(coefficient_normal_form, - &error->coefficients[j]); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( + &myself->coefficients[j], (int16_t)1441); + libcrux_ml_kem_vector_avx2_add_f5(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&myself->coefficients[j]); } } @@ -3903,10 +4132,10 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_84( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { - libcrux_ml_kem_polynomial_add_error_reduce_84(self, error); + libcrux_ml_kem_polynomial_add_error_reduce_06(self, error); } /** @@ -3920,46 +4149,40 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - result[i] = - libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_ab(&lvalue, i); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]); - i0++) { + Eurydice_slice a_as_ntt, Eurydice_slice r_as_ntt, Eurydice_slice error_1, + Eurydice_slice result, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = a_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); - i++) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result[i1], - &product); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = + libcrux_ml_kem_matrix_entry_ab(a_as_ntt, i1, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06( + uu____0, + &Eurydice_slice_index( + r_as_ntt, j, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_d6_84(&result[i1], &error_1[i1]); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); + libcrux_ml_kem_polynomial_add_error_reduce_d6_06( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + &Eurydice_slice_index( + error_1, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } - memcpy( - ret, result, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** @@ -3969,9 +4192,9 @@ generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( - __m256i vector) { + __m256i *vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -3980,7 +4203,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( __m256i coefficient_bits_mask = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)1 << (uint32_t)(int32_t)10) - (int32_t)1); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i compressed_low = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -3995,7 +4218,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( __m256i compressed_low3 = libcrux_intrinsics_avx2_mm256_and_si256( compressed_low2, coefficient_bits_mask); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i compressed_high = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4011,8 +4234,8 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( compressed_high2, coefficient_bits_mask); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( compressed_low3, compressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -4021,9 +4244,9 @@ with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_ef(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_ef( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( vector); } @@ -4037,9 +4260,9 @@ with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_f5_ef(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_ef(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_f5_ef( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_ef(vec); } /** @@ -4051,22 +4274,19 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_10_0e( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + Eurydice_slice serialized, __m256i *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_f5_ef( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re->coefficients[i0])); - uint8_t bytes[20U]; - libcrux_ml_kem_vector_avx2_serialize_10_f5(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)20U * i0, - (size_t)20U * i0 + (size_t)20U, uint8_t *), - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_compress_f5_ef(scratch); + libcrux_ml_kem_vector_avx2_serialize_10_f5( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)20U * i0, + (size_t)20U * i0 + (size_t)20U, uint8_t *)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -4079,10 +4299,10 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10_0e(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, + Eurydice_slice serialized, __m256i *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_10_0e(re, serialized, + scratch); } /** @@ -4100,7 +4320,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 input[3U], - Eurydice_slice out) { + Eurydice_slice out, __m256i *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4110,14 +4330,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *); - uint8_t ret[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4(&re, - ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4( + &re, + Eurydice_slice_subslice3( + out, i0 * ((size_t)960U / (size_t)3U), + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *), + scratch); } } @@ -4126,6 +4344,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -4133,56 +4352,81 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_ed0 libcrux_ml_kem_ind_cpa_encrypt_c1_48( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c1_a1( Eurydice_slice randomness, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*matrix)[3U], - Eurydice_slice ciphertext) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(randomness, prf_input); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - r_as_ntt[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_48(&lvalue, i); - } uint8_t domain_separator0 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4(r_as_ntt, prf_input, - 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb( + r_as_ntt, prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_48(&lvalue, i); + error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_a1(&lvalue, i); } - uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4( - prf_input, domain_separator0, error_1); + int16_t sampling_buffer[256U] = {0U}; + uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_cb( + prf_input, domain_separator0, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + sampling_buffer); prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - libcrux_ml_kem_hash_functions_avx2_PRF_41_410( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + uint8_t prf_output[128U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRF_26_a6( + Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t), + sampling_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + Eurydice_array_to_slice((size_t)256U, sampling_buffer, int16_t), error_2); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u[3U]; - libcrux_ml_kem_matrix_compute_vector_u_ab(matrix, r_as_ntt, error_1, u); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; - memcpy( - uu____0, u, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c(uu____0, ciphertext); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_a1(&lvalue, i); + } + libcrux_ml_kem_matrix_compute_vector_u_ab( + Eurydice_array_to_slice( + (size_t)9U, matrix, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + r_as_ntt, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + Eurydice_array_to_slice( + (size_t)3U, u, libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + scratch); /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 copy_of_r_as_ntt[3U]; - memcpy( - copy_of_r_as_ntt, r_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - tuple_ed0 lit; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 copy_of_u[3U]; memcpy( - lit.fst, copy_of_r_as_ntt, + copy_of_u, u, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - lit.snd = error_2; - return lit; + libcrux_ml_kem_ind_cpa_compress_then_serialize_u_8c(copy_of_u, ciphertext, + scratch->coefficients); +} + +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.decompress_1 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_vector_traits_decompress_1_06( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_negate_f5(vec); + libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_f5(vec, (int16_t)1665); } /** @@ -4192,21 +4436,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_message_84( - uint8_t *serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_84(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_message_06( + uint8_t *serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_deserialize_1_f5(Eurydice_array_to_subslice3( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, - uint8_t *)); - re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_1_f5(coefficient_compressed); + libcrux_ml_kem_vector_avx2_deserialize_1_f5( + Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *), + &re->coefficients[i0]); + libcrux_ml_kem_vector_traits_decompress_1_06(&re->coefficients[i0]); } - return re; } /** @@ -4216,25 +4457,22 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_add_message_error_reduce_84( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + __m256i *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( - result.coefficients[i0], (int16_t)1441); - __m256i sum1 = libcrux_ml_kem_vector_avx2_add_f5( - myself->coefficients[i0], &message->coefficients[i0]); - __m256i sum2 = - libcrux_ml_kem_vector_avx2_add_f5(coefficient_normal_form, &sum1); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(sum2); - result.coefficients[i0] = red; + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( + &result->coefficients[i0], (int16_t)1441); + scratch[0U] = myself->coefficients[i0]; + libcrux_ml_kem_vector_avx2_add_f5(scratch, &message->coefficients[i0]); + libcrux_ml_kem_vector_avx2_add_f5(&result->coefficients[i0], scratch); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&result->coefficients[i0]); } - return result; } /** @@ -4249,13 +4487,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_add_message_error_reduce_d6_84( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { - return libcrux_ml_kem_polynomial_add_message_error_reduce_84(self, message, - result); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + __m256i *scratch) { + libcrux_ml_kem_polynomial_add_message_error_reduce_06(self, message, result, + scratch); } /** @@ -4268,24 +4507,26 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_matrix_compute_ring_element_v_ab( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_ring_element_v_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_84(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(&t_as_ntt[i0], - &r_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06( + &t_as_ntt[i0], + &Eurydice_slice_index( + r_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - return libcrux_ml_kem_polynomial_add_message_error_reduce_d6_84( - error_2, message, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(result, scratch); + libcrux_ml_kem_polynomial_add_message_error_reduce_d6_06( + error_2, message, result, scratch->coefficients); } /** @@ -4295,9 +4536,9 @@ generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( - __m256i vector) { + __m256i *vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -4306,7 +4547,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( __m256i coefficient_bits_mask = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)1 << (uint32_t)(int32_t)4) - (int32_t)1); __m128i coefficients_low = - libcrux_intrinsics_avx2_mm256_castsi256_si128(vector); + libcrux_intrinsics_avx2_mm256_castsi256_si128(vector[0U]); __m256i coefficients_low0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_low); __m256i compressed_low = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4321,7 +4562,7 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( __m256i compressed_low3 = libcrux_intrinsics_avx2_mm256_and_si256( compressed_low2, coefficient_bits_mask); __m128i coefficients_high = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, vector, __m128i); + (int32_t)1, vector[0U], __m128i); __m256i coefficients_high0 = libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(coefficients_high); __m256i compressed_high = libcrux_intrinsics_avx2_mm256_slli_epi32( @@ -4337,8 +4578,8 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( compressed_high2, coefficient_bits_mask); __m256i compressed = libcrux_intrinsics_avx2_mm256_packs_epi32( compressed_low3, compressed_high3); - return libcrux_intrinsics_avx2_mm256_permute4x64_epi64((int32_t)216, - compressed, __m256i); + vector[0U] = libcrux_intrinsics_avx2_mm256_permute4x64_epi64( + (int32_t)216, compressed, __m256i); } /** @@ -4347,9 +4588,9 @@ with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_d1(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_d1( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( vector); } @@ -4363,9 +4604,9 @@ with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_f5_d1(__m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_d1(vector); +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_compress_f5_d1( + __m256i *vec) { + libcrux_ml_kem_vector_avx2_compress_d1(vec); } /** @@ -4376,21 +4617,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_4_84( +libcrux_ml_kem_serialize_compress_then_serialize_4_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, - Eurydice_slice serialized) { + Eurydice_slice serialized, __m256i *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_f5_d1( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re.coefficients[i0])); - uint8_t bytes[8U]; - libcrux_ml_kem_vector_avx2_serialize_4_f5(coefficient, bytes); - Eurydice_slice_copy( + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re.coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_compress_f5_d1(scratch); + libcrux_ml_kem_vector_avx2_serialize_4_f5( + scratch, Eurydice_slice_subslice3(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t *), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); + (size_t)8U * i0 + (size_t)8U, uint8_t *)); } } @@ -4405,8 +4644,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ed( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) { - libcrux_ml_kem_serialize_compress_then_serialize_4_84(re, out); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out, + __m256i *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_4_06(re, out, scratch); } /** @@ -4420,16 +4660,20 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c2_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, - uint8_t *message, Eurydice_slice ciphertext) { + uint8_t *message, Eurydice_slice ciphertext, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_84(message); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_serialize_deserialize_then_decompress_message_06( + message, &message_as_ring_element); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = - libcrux_ml_kem_matrix_compute_ring_element_v_ab( - t_as_ntt, r_as_ntt, error_2, &message_as_ring_element); + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_matrix_compute_ring_element_v_ab( + t_as_ntt, r_as_ntt, error_2, &message_as_ring_element, &v, scratch); libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ed( - v, ciphertext); + v, ciphertext, scratch->coefficients); } /** @@ -4478,6 +4722,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4489,31 +4734,25 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_74( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *public_key, - uint8_t *message, Eurydice_slice randomness, uint8_t ret[1088U]) { - uint8_t ciphertext[1088U] = {0U}; - tuple_ed0 uu____0 = libcrux_ml_kem_ind_cpa_encrypt_c1_48( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_67( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *public_key, + uint8_t *message, Eurydice_slice randomness, Eurydice_slice ciphertext, + Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + libcrux_ml_kem_ind_cpa_encrypt_c1_a1( randomness, public_key->A, - Eurydice_array_to_subslice3(ciphertext, (size_t)0U, (size_t)960U, - uint8_t *)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; - memcpy( - r_as_ntt, uu____0.fst, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____1 = - public_key->t_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____2 = r_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____3 = &error_2; - uint8_t *uu____4 = message; + Eurydice_slice_subslice3(ciphertext, (size_t)0U, (size_t)960U, uint8_t *), + r_as_ntt, error_2, scratch); libcrux_ml_kem_ind_cpa_encrypt_c2_ed( - uu____1, uu____2, uu____3, uu____4, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, uint8_t[])); - memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); + public_key->t_as_ntt, r_as_ntt, error_2, message, + Eurydice_slice_subslice_from(ciphertext, (size_t)960U, uint8_t, size_t, + uint8_t[]), + scratch); } /** @@ -4521,6 +4760,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4532,18 +4772,22 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_74( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_67( Eurydice_slice public_key, uint8_t *message, Eurydice_slice randomness, - uint8_t ret[1088U]) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 - unpacked_public_key = - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_fa(public_key); - uint8_t ret0[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_74(&unpacked_public_key, message, - randomness, ret0); - memcpy(ret, ret0, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 + unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_b4(public_key, + &unpacked_public_key); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_67(&unpacked_public_key, message, + randomness, ciphertext, r_as_ntt, + error_2, scratch); } /** @@ -4559,11 +4803,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_ae( - Eurydice_slice shared_secret, uint8_t *_, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - shared_secret, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice shared_secret, uint8_t *_, Eurydice_slice out) { + Eurydice_slice_copy(out, shared_secret, uint8_t); } /** @@ -4575,6 +4816,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4589,10 +4831,12 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_57( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -4602,9 +4846,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( Eurydice_slice ind_cpa_public_key = uu____0.snd; Eurydice_slice ind_cpa_public_key_hash = uu____0.thd; Eurydice_slice implicit_rejection_value = uu____0.f3; - uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_2f(ind_cpa_secret_key, ciphertext->value, - decrypted); + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_decrypt_2f( + ind_cpa_secret_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -4613,9 +4860,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t, uint8_t[]), ind_cpa_public_key_hash, uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -4629,38 +4877,54 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_a1( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret0[32U]; - libcrux_ml_kem_hash_functions_avx2_PRF_41_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRF_26_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret0); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_74(ind_cpa_public_key, decrypted, - pseudorandomness, expected_ciphertext); - uint8_t implicit_rejection_shared_secret[32U]; + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_57(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_67( + ind_cpa_public_key, decrypted, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); + uint8_t implicit_rejection_shared_secret_kdf[32U] = {0U}; libcrux_ml_kem_variant_kdf_39_ae( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; + ciphertext->value, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, + uint8_t)); + uint8_t shared_secret_kdf[32U] = {0U}; libcrux_ml_kem_variant_kdf_39_ae( - shared_secret0, libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - shared_secret); - uint8_t ret0[32U]; + shared_secret0, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t)); + uint8_t shared_secret[32U] = {0U}; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t), + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t), - ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t)); + memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4675,20 +4939,23 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_avx2 with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_35( +libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_a1(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_57(private_key, ciphertext, ret); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4703,13 +4970,15 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_35( +static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_35( + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_avx2_54( private_key, ciphertext, ret); } @@ -4724,7 +4993,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_35(private_key, + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_54(private_key, ciphertext, ret); } @@ -4739,27 +5008,48 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_be( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - randomness, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_3f( + Eurydice_slice randomness, Eurydice_slice out) { + Eurydice_slice_copy(out, randomness, uint8_t); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::avx2::Simd256Hash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::encapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.avx2.H_41 +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate.call_mut_c0 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H_41_e0( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_avx2_H(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_a1(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -4768,6 +5058,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4780,50 +5071,70 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_a1( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - uint8_t randomness0[32U]; - libcrux_ml_kem_variant_entropy_preprocess_39_be( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); + uint8_t processed_randomness[32U] = {0U}; + libcrux_ml_kem_variant_entropy_preprocess_39_3f( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t)); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, uint8_t[]); - uint8_t ret0[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( - Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_e6_d0(public_key), - uint8_t), - ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t), + to_hash); + Eurydice_slice uu____0 = Eurydice_array_to_slice( + (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t); + libcrux_ml_kem_hash_functions_avx2_H_26( + uu____0, Eurydice_array_to_subslice_from( + (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t, size_t, uint8_t[])); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_74( + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext = + libcrux_ml_kem_types_default_73_80(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_a1(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_67( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - randomness0, pseudorandomness, ciphertext); + processed_randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext.value, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); + uint8_t shared_secret_array[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_ae( + shared_secret, ciphertext.value, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____2 = ciphertext; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_ciphertext[1088U]; - memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_c2 lit; - lit.fst = libcrux_ml_kem_types_from_e0_80(copy_of_ciphertext); - uint8_t ret[32U]; - libcrux_ml_kem_variant_kdf_39_ae(shared_secret, ciphertext, ret); - memcpy(lit.snd, ret, (size_t)32U * sizeof(uint8_t)); + lit.fst = uu____2; + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -4831,6 +5142,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_70( A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4843,18 +5155,21 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_avx2 with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_cd( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_encapsulate_70(public_key, randomness); + return libcrux_ml_kem_ind_cca_encapsulate_a1(public_key, randomness); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4867,12 +5182,14 @@ with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_cd( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_cd( + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_avx2_35( public_key, randomness); } @@ -4887,7 +5204,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_cd(public_key, + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_35(public_key, randomness); } @@ -4908,7 +5225,7 @@ libcrux_ml_kem_ind_cpa_unpacked_default_70_ab(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 lit; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 repeat_expression[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_84(); + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_06(); } memcpy( lit.secret_as_ntt, repeat_expression, @@ -4927,8 +5244,8 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_be( - Eurydice_slice key_generation_seed, uint8_t ret[64U]) { +static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_3f( + Eurydice_slice key_generation_seed, Eurydice_slice out) { uint8_t seed[33U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_subslice3( @@ -4937,10 +5254,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_be( key_generation_seed, uint8_t); seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = (uint8_t)(size_t)3U; - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)33U, seed, uint8_t), out); } /** @@ -4948,24 +5263,27 @@ This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@3]> for libcrux_ml_kem::ind_cpa::generate_keypair_unpacked::closure[TraitClause@0, TraitClause@1, -TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +Scheme, K, K_SQUARED, ETA1, ETA1_RANDOMNESS_SIZE, +PRF_OUTPUT_SIZE1>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3, +TraitClause@4, TraitClause@5]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_73 with types +libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_ae with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_22( +libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_5d( void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -4975,9 +5293,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_ml_kem_polynomial_to_standard_domain_84(__m256i vector) { - return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_to_standard_domain_06( + __m256i *vector) { + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_f5( vector, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -4990,19 +5308,16 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_84( +libcrux_ml_kem_polynomial_add_standard_error_reduce_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - __m256i coefficient_normal_form = - libcrux_ml_kem_polynomial_to_standard_domain_84( - myself->coefficients[j]); - __m256i sum = libcrux_ml_kem_vector_avx2_add_f5(coefficient_normal_form, - &error->coefficients[j]); - __m256i red = libcrux_ml_kem_vector_avx2_barrett_reduce_f5(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_polynomial_to_standard_domain_06(&myself->coefficients[j]); + libcrux_ml_kem_vector_avx2_add_f5(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_avx2_barrett_reduce_f5(&myself->coefficients[j]); } } @@ -5019,10 +5334,10 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_84( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { - libcrux_ml_kem_polynomial_add_standard_error_reduce_84(self, error); + libcrux_ml_kem_polynomial_add_standard_error_reduce_06(self, error); } /** @@ -5037,38 +5352,25 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*matrix_A)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_as_ntt) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U]); - i++) { + Eurydice_slice matrix_A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *s_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_ZERO_d6_84(); + libcrux_ml_kem_polynomial_ZERO_d6_06(); t_as_ntt[i0] = uu____0; - for (size_t i1 = (size_t)0U; - i1 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); - i1++) { + for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { size_t j = i1; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = - &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_84(matrix_element, - &s_as_ntt[j]); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____1 = + libcrux_ml_kem_matrix_entry_ab(matrix_A, i0, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_06(uu____1, &s_as_ntt[j], + scratch); libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&t_as_ntt[i0], - &product); + scratch); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_84( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_06( &t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -5120,23 +5422,29 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_5d( Eurydice_slice key_generation_seed, libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *private_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *public_key) { - uint8_t hashed[64U]; - libcrux_ml_kem_variant_cpa_keygen_seed_39_be(key_generation_seed, hashed); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_variant_cpa_keygen_seed_39_3f( + key_generation_seed, + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] = - public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed_for_A, ret); libcrux_ml_kem_matrix_sample_matrix_A_6c(uu____1, ret, true); @@ -5144,21 +5452,30 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( libcrux_ml_kem_utils_into_padded_array_c8(seed_for_secret_and_error, prf_input); uint8_t domain_separator = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( - private_key->secret_as_ntt, prf_input, 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb( + Eurydice_array_to_slice( + (size_t)3U, private_key->secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; error_as_ntt[i] = - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_22(&lvalue, + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_5d(&lvalue, i); } - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4(error_as_ntt, prf_input, - domain_separator); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_cb( + Eurydice_array_to_slice( + (size_t)3U, error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + prf_input, domain_separator, scratch->coefficients); libcrux_ml_kem_matrix_compute_As_plus_e_ab( - public_key->t_as_ntt, public_key->A, private_key->secret_as_ntt, - error_as_ntt); + public_key->t_as_ntt, + Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + private_key->secret_as_ntt, error_as_ntt, scratch); uint8_t uu____2[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U], @@ -5175,22 +5492,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_84( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[384U]) { - uint8_t serialized[384U] = {0U}; +libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_06( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, __m256i *scratch, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_modulus_84( - re->coefficients[i0]); - uint8_t bytes[24U]; - libcrux_ml_kem_vector_avx2_serialize_12_f5(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)24U * i0, - (size_t)24U * i0 + (size_t)24U, uint8_t *), - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_06(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_avx2_serialize_12_f5( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)24U * i0, + (size_t)24U * i0 + (size_t)24U, uint8_t *)); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } /** @@ -5204,8 +5518,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *key, - Eurydice_slice out) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *key, Eurydice_slice out, + __m256i *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -5215,14 +5529,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_ab( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = key[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *); - uint8_t ret[384U]; - libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_84(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)384U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_06( + &re, scratch, + Eurydice_slice_subslice3( + out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *)); } } @@ -5239,41 +5551,22 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t *serialized) { + Eurydice_slice seed_for_a, Eurydice_slice serialized, __m256i *scratch) { libcrux_ml_kem_ind_cpa_serialize_vector_ab( t_as_ntt, - Eurydice_array_to_subslice3( + Eurydice_slice_subslice3( serialized, (size_t)0U, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t *)); + uint8_t *), + scratch); Eurydice_slice_copy( - Eurydice_array_to_subslice_from( - (size_t)1184U, serialized, + Eurydice_slice_subslice_from( + serialized, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), uint8_t, size_t, uint8_t[]), seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key -with types libcrux_ml_kem_vector_avx2_SIMD256Vector -with const generics -- K= 3 -- PUBLIC_KEY_SIZE= 1184 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_ed( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t ret[1184U]) { - uint8_t public_key_serialized[1184U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed(t_as_ntt, seed_for_a, - public_key_serialized); - memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); -} - /** Serialize the secret key from the unpacked key pair generation. */ @@ -5282,37 +5575,22 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_unpacked_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_ed( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *private_key) { - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( +static inline void libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_8c( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *public_key, + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 *private_key, + Eurydice_slice serialized_private_key, Eurydice_slice serialized_public_key, + __m256i *scratch) { + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( public_key->t_as_ntt, Eurydice_array_to_slice((size_t)32U, public_key->seed_for_A, uint8_t), - public_key_serialized); - uint8_t secret_key_serialized[1152U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_vector_ab( - private_key->secret_as_ntt, - Eurydice_array_to_slice((size_t)1152U, secret_key_serialized, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_secret_key_serialized[1152U]; - memcpy(copy_of_secret_key_serialized, secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_public_key_serialized[1184U]; - memcpy(copy_of_public_key_serialized, public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, copy_of_secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - return lit; + serialized_public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_vector_ab(private_key->secret_as_ntt, + serialized_private_key, scratch); } /** @@ -5321,22 +5599,28 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_generate_keypair_5d(Eurydice_slice key_generation_seed) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_d6( + Eurydice_slice key_generation_seed, + Eurydice_slice serialized_ind_cpa_private_key, + Eurydice_slice serialized_public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 private_key = libcrux_ml_kem_ind_cpa_unpacked_default_70_ab(); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 public_key = - libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( - key_generation_seed, &private_key, &public_key); - return libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_ed(&public_key, - &private_key); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 public_key = + libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_5d( + key_generation_seed, &private_key, &public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_8c( + &public_key, &private_key, serialized_ind_cpa_private_key, + serialized_public_key, scratch->coefficients); } /** @@ -5373,42 +5657,23 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae( uint8_t *), public_key, uint8_t); pointer = pointer + Eurydice_slice_len(public_key, uint8_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice3( - serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, - uint8_t *); - uint8_t ret[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0(public_key, ret); - Eurydice_slice_copy( - uu____6, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); + libcrux_ml_kem_hash_functions_avx2_H_26( + public_key, + Eurydice_array_to_subslice3( + serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t *)); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = serialized; + uint8_t *uu____6 = serialized; + size_t uu____7 = pointer; size_t uu____8 = pointer; - size_t uu____9 = pointer; Eurydice_slice_copy( Eurydice_array_to_subslice3( - uu____7, uu____8, - uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uu____6, uu____7, + uu____8 + Eurydice_slice_len(implicit_rejection_value, uint8_t), uint8_t *), implicit_rejection_value, uint8_t); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key -with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash -with const generics -- K= 3 -- SERIALIZED_KEY_LEN= 2400 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_ae( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { - uint8_t out[2400U] = {0U}; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae( - private_key, public_key, implicit_rejection_value, out); - memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); -} - /** Packed API @@ -5423,15 +5688,17 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_bb(uint8_t *randomness) { +libcrux_ml_kem_ind_cca_generate_keypair_13(uint8_t *randomness) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( randomness, (size_t)0U, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t *); @@ -5439,14 +5706,16 @@ libcrux_ml_kem_ind_cca_generate_keypair_bb(uint8_t *randomness) { (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_generate_keypair_5d(ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t public_key[1184U]; - memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - uint8_t secret_key_serialized[2400U]; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_ae( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_generate_keypair_d6( + ind_cpa_keypair_randomness, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + uint8_t secret_key_serialized[2400U] = {0U}; + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_ae( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); @@ -5456,12 +5725,12 @@ libcrux_ml_kem_ind_cca_generate_keypair_bb(uint8_t *randomness) { (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = libcrux_ml_kem_types_from_77_28(copy_of_secret_key_serialized); - libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; + libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____1 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_17_74( - uu____2, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); + uu____1, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); } /** @@ -5472,34 +5741,38 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_generate_keypair_bb(randomness); + return libcrux_ml_kem_ind_cca_generate_keypair_13(randomness); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_ce( + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_avx2_06( randomness); } @@ -5509,7 +5782,7 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_ce( KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_ce( + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_06( randomness); } @@ -5528,12 +5801,12 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_ae( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - uint8_t t[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( + uint8_t t[32U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_H_26( Eurydice_array_to_subslice3(private_key->value, (size_t)384U * (size_t)3U, (size_t)768U * (size_t)3U + (size_t)32U, uint8_t *), - t); + Eurydice_array_to_slice((size_t)32U, t, uint8_t)); Eurydice_slice expected = Eurydice_array_to_subslice3( private_key->value, (size_t)768U * (size_t)3U + (size_t)32U, (size_t)768U * (size_t)3U + (size_t)64U, uint8_t *); @@ -5642,52 +5915,21 @@ static inline bool libcrux_ml_kem_mlkem768_avx2_validate_private_key_only( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::serialize::deserialize_ring_elements_reduced_out::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::validate_public_key::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.call_mut_0b with -types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key.call_mut_00 +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics - K= 3 +- PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_ab( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); -} - -/** - This function deserializes ring elements and reduces the result by the field - modulus. - - This function MUST NOT be used on secret inputs. -*/ -/** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - deserialized_pk[i] = - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_ab( - &lvalue, i); - } - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - public_key, deserialized_pk); - memcpy( - ret, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); +libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_ed(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -5708,21 +5950,31 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_ed( uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_ab( - Eurydice_array_to_subslice_to( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = deserialized_pk; - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( - uu____0, - Eurydice_array_to_subslice_from( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - public_key_serialized); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + deserialized_pk[i] = + libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_ed(&lvalue, i); + } + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( + uu____0, Eurydice_array_to_slice( + (size_t)3U, deserialized_pk, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + uint8_t public_key_serialized[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____1 = deserialized_pk; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( + uu____1, uu____2, + Eurydice_array_to_slice((size_t)1184U, public_key_serialized, uint8_t), + &scratch); return Eurydice_array_eq((size_t)1184U, public_key, public_key_serialized, uint8_t); } @@ -5785,22 +6037,68 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.MlKemPublicKeyUnpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63_s { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 ind_cpa_public_key; +typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0_s { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 ind_cpa_public_key; uint8_t public_key_hash[32U]; -} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63; +} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0; typedef struct libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked_s { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_63 private_key; - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 public_key; + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 public_key; } libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked; +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.decapsulate.call_mut_03 with types +libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_37(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); +} + /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5815,15 +6113,20 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_37( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - uint8_t decrypted[32U]; + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f( - &key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); + &key_pair->private_key.ind_cpa_private_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -5835,9 +6138,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -5854,25 +6158,40 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_12( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_hash_functions_avx2_PRF_41_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_PRF_26_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_74( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_37(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_67( &key_pair->public_key.ind_cpa_public_key, decrypted, pseudorandomness, - expected_ciphertext); + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); - uint8_t ret0[32U]; + uint8_t shared_secret_array[32U] = {0U}; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + selector, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + memcpy(ret, shared_secret_array, (size_t)32U * sizeof(uint8_t)); } /** @@ -5880,6 +6199,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.decapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5894,14 +6214,16 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_35( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_54( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_12(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_37(key_pair, ciphertext, ret); } /** @@ -5912,6 +6234,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5926,14 +6249,16 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_35( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_54( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_35( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_avx2_54( key_pair, ciphertext, ret); } @@ -5948,7 +6273,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_decapsulate( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_35( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_54( private_key, ciphertext, ret); } @@ -5959,7 +6284,7 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_be( +static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_3f( Eurydice_slice randomness, Eurydice_slice pk_hash, uint8_t ret[64U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24(randomness, to_hash); @@ -5968,10 +6293,51 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_be( LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, size_t, uint8_t[]), pk_hash, uint8_t); - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_avx2_G_41_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + uint8_t output[64U] = {0U}; + libcrux_ml_kem_hash_functions_avx2_G_26( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, output, uint8_t)); + memcpy(ret, output, (size_t)64U * sizeof(uint8_t)); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::encapsulate::closure[TraitClause@0, TraitClause@1, TraitClause@2, +TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.encapsulate.call_mut_f7 with types +libcrux_ml_kem_vector_avx2_SIMD256Vector, +libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics +- K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- VECTOR_U_BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 +libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_12(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -5979,6 +6345,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -5991,13 +6358,15 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_70( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_12( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t *randomness) { uint8_t hashed[64U]; - libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_be( + libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_3f( Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t), @@ -6008,10 +6377,25 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_70( Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____0.fst; Eurydice_slice pseudorandomness = uu____0.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_74(&public_key->ind_cpa_public_key, - randomness, pseudorandomness, - ciphertext); + uint8_t ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_12(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_67( + &public_key->ind_cpa_public_key, randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + &error_2, &scratch); uint8_t shared_secret_array[32U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), @@ -6036,6 +6420,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.encapsulate_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -6048,13 +6433,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_cd( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_35( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_70(public_key, randomness); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_12(public_key, randomness); } /** @@ -6065,6 +6452,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -6077,13 +6465,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_cd( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_35( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_cd( + return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_avx2_35( public_key, randomness); } @@ -6097,9 +6487,9 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_cd( */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_cd( + return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_35( public_key, randomness); } @@ -6107,45 +6497,21 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.call_mut_b4 with types +libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_5a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_ab( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_84(); -} - -/** -This function found in impl {core::ops::function::FnMut<(usize), -@Array[TraitClause@0, -TraitClause@1], K>> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_7b with types -libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_ab( - void **_, size_t tupled_args, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret[i] = libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_ab( - &lvalue, i); - } +libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_ed(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_06(); } /** @@ -6161,7 +6527,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_clone_c1_84( +libcrux_ml_kem_polynomial_clone_c1_06( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; __m256i ret[16U]; @@ -6176,34 +6542,32 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ind_cpa_a[3U][3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U][3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ed( + Eurydice_slice ind_cpa_a, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[9U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_ab(&lvalue, i, - A[i]); + A[i] = + libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_ed(&lvalue, i); } - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 _a_i[3U][3U]; - memcpy(_a_i, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { - size_t j = i1; + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_clone_c1_84(&ind_cpa_a[j][i0]); - A[i0][j] = uu____0; + libcrux_ml_kem_polynomial_clone_c1_06( + libcrux_ml_kem_matrix_entry_ab(ind_cpa_a, j, i1)); + A[i1 * (size_t)3U + j] = uu____0; } } - memcpy(ret, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + memcpy( + ret, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** @@ -6215,14 +6579,16 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector, libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_bb( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_13( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( @@ -6232,39 +6598,41 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_bb( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 scratch0 = + libcrux_ml_kem_polynomial_ZERO_d6_06(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_5d( ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key, - &out->public_key.ind_cpa_public_key); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U][3U]; - memcpy(uu____0, out->public_key.ind_cpa_public_key.A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab(uu____0, A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____1[3U][3U]; - memcpy(uu____1, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - memcpy(out->public_key.ind_cpa_public_key.A, uu____1, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); - uint8_t pk_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( + &out->public_key.ind_cpa_public_key, &scratch0); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[9U]; + libcrux_ml_kem_ind_cca_unpacked_transpose_a_ed( + Eurydice_array_to_slice( + (size_t)9U, out->public_key.ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6), + A); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[9U]; + memcpy( + uu____0, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + memcpy( + out->public_key.ind_cpa_public_key.A, uu____0, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + uint8_t pk_serialized[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( out->public_key.ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice( (size_t)32U, out->public_key.ind_cpa_public_key.seed_for_A, uint8_t), - pk_serialized); - uint8_t uu____2[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( - Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), uu____2); - memcpy(out->public_key.public_key_hash, uu____2, - (size_t)32U * sizeof(uint8_t)); - uint8_t uu____3[32U]; + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), &scratch); + libcrux_ml_kem_hash_functions_avx2_H_26( + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), + Eurydice_array_to_slice((size_t)32U, out->public_key.public_key_hash, + uint8_t)); + uint8_t uu____1[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value, Eurydice_slice, uint8_t[32U], TryFromSliceError); - unwrap_26_b3(dst, uu____3); - memcpy(out->private_key.implicit_rejection_value, uu____3, + unwrap_26_b3(dst, uu____1); + memcpy(out->private_key.implicit_rejection_value, uu____1, (size_t)32U * sizeof(uint8_t)); } @@ -6273,21 +6641,23 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.generate_keypair_avx2 with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_06( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_bb(copy_of_randomness, out); + libcrux_ml_kem_ind_cca_unpacked_generate_keypair_13(copy_of_randomness, out); } /** @@ -6298,21 +6668,23 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_06( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_ce( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_avx2_06( copy_of_randomness, out); } @@ -6326,47 +6698,49 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair_mut( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_ce( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_06( copy_of_randomness, key_pair); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_30 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_3f with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cca_unpacked_default_30_ab(void) { - return (libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63{ - libcrux_ml_kem_ind_cpa_unpacked_default_8b_ab(), {0U}}); +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cca_unpacked_default_3f_ed(void) { + return (libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0{ + libcrux_ml_kem_ind_cpa_unpacked_default_50_ed(), {0U}}); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_7b +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_7b_ab(void) { + libcrux_ml_kem_ind_cca_unpacked_default_b1_ed(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_63 uu____0 = { libcrux_ml_kem_ind_cpa_unpacked_default_70_ab(), {0U}}; return (libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked{ - uu____0, libcrux_ml_kem_ind_cca_unpacked_default_30_ab()}); + uu____0, libcrux_ml_kem_ind_cca_unpacked_default_3f_ed()}); } /** @@ -6377,7 +6751,7 @@ static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair( uint8_t randomness[64U]) { libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked key_pair = - libcrux_ml_kem_ind_cca_unpacked_default_7b_ab(); + libcrux_ml_kem_ind_cca_unpacked_default_b1_ed(); uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair_mut(uu____0, @@ -6391,126 +6765,107 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair( KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_7b_ab(); + return libcrux_ml_kem_ind_cca_unpacked_default_b1_ed(); } /** Create a new, empty unpacked public key. */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 libcrux_ml_kem_mlkem768_avx2_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_30_ab(); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_b3( - void **_, int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return libcrux_ml_kem_polynomial_from_i16_array_d6_84( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); + return libcrux_ml_kem_ind_cca_unpacked_default_3f_ed(); } /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_b3( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state = - libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_4a_e0( +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_51( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PortableHash xof_state = + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( seeds); - uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_4a_e0( - &xof_state, randomness0); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( - randomness0, sampled_coefficients, out); + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); while (true) { if (done) { break; } else { - uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_4a_e0( - &xof_state, randomness); + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( - randomness, sampled_coefficients, out); + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); } } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret0[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_b3( - &lvalue, copy_of_out[i]); - } - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } /** A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_b3( - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 (*A_transpose)[3U], - uint8_t *seed, bool transpose) { +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_51( + Eurydice_slice A_transpose, uint8_t *seed, bool transpose) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_b3(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; + int16_t out[3U][272U] = {{0U}}; + libcrux_ml_kem_sampling_sample_from_xof_51( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6), - libcrux_ml_kem_polynomial_PolynomialRingElement_f6); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____1, &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_06( + uu____2, &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *)); } } } @@ -6519,28 +6874,31 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_b3( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_bf( +libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fd( Eurydice_slice public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - uu____0, unpacked_public_key->t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); - libcrux_ml_kem_matrix_sample_matrix_A_b3(uu____1, ret, false); + libcrux_ml_kem_matrix_sample_matrix_A_51(uu____1, ret, false); } /** @@ -6551,6 +6909,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.keys_from_private_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -6558,7 +6917,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_2f( +libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_e2( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -6570,8 +6929,10 @@ libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_2f( Eurydice_slice implicit_rejection_value = uu____0.f3; libcrux_ml_kem_ind_cpa_deserialize_vector_ab( ind_cpa_secret_key, - key_pair->private_key.ind_cpa_private_key.secret_as_ntt); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_bf( + Eurydice_array_to_slice( + (size_t)3U, key_pair->private_key.ind_cpa_private_key.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_fd( ind_cpa_public_key, &key_pair->public_key.ind_cpa_public_key); Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, @@ -6598,6 +6959,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.keypair_from_private_key with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -6605,10 +6967,10 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_fd( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_ce( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_2f(private_key, + libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_e2(private_key, key_pair); } @@ -6620,38 +6982,40 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_from_private_mut( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_fd( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_keypair_from_private_key_ce( private_key, key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_2f( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_ed( - &self->public_key.ind_cpa_public_key, - &self->private_key.ind_cpa_private_key); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t ind_cpa_public_key[1184U]; - memcpy(ind_cpa_public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t ind_cpa_public_key[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_8c( + &self->public_key.ind_cpa_public_key, + &self->private_key.ind_cpa_private_key, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), + &scratch); + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), Eurydice_array_to_slice( @@ -6661,25 +7025,26 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPrivateKey_d9 -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_8c( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_2f( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { libcrux_ml_kem_types_MlKemPrivateKey_d9 sk = libcrux_ml_kem_types_default_d3_28(); - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c(self, &sk); + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_2f(self, &sk); return sk; } @@ -6690,7 +7055,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_private_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_8c(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_2f(key_pair); } /** @@ -6701,52 +7066,58 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_private_key_mut( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_8c(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_2f(key_pair, serialized); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_6a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) { - uint8_t ret[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_6a_ed( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *self) { + uint8_t public_key[1184U] = {0U}; + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - ret); - return libcrux_ml_kem_types_from_fd_d0(ret); + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); + return libcrux_ml_kem_types_from_fd_d0(copy_of_public_key); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_dd_ed(&self->public_key); + return libcrux_ml_kem_ind_cca_unpacked_serialized_6a_ed(&self->public_key); } /** @@ -6756,51 +7127,55 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_ed(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_ed(key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_6a with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self, +libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_ed( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { + __m256i scratch = libcrux_ml_kem_vector_avx2_ZERO_f5(); libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - serialized->value); + Eurydice_array_to_slice((size_t)1184U, serialized->value, uint8_t), + &scratch); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(&self->public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_ed(&self->public_key, serialized); } @@ -6812,25 +7187,26 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key_mut( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_ed(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_ed(key_pair, serialized); } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_91 +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_1c with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cpa_unpacked_clone_91_ab( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 *self) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cpa_unpacked_clone_1c_ed( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)3U, self->t_as_ntt, uu____0, @@ -6838,39 +7214,40 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_91_ab( uint8_t uu____1[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->seed_for_A, uu____1, uint8_t, void *); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_c0 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U][3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[9U]; core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)3U, self->A, ret, - libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U], void *); - memcpy(lit.A, ret, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + (size_t)9U, self->A, ret, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6, void *); + memcpy( + lit.A, ret, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); return lit; } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_d7 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_86 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cca_unpacked_clone_d7_ab( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 lit; +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 +libcrux_ml_kem_ind_cca_unpacked_clone_86_ed( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *self) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 lit; lit.ind_cpa_public_key = - libcrux_ml_kem_ind_cpa_unpacked_clone_91_ab(&self->ind_cpa_public_key); + libcrux_ml_kem_ind_cpa_unpacked_clone_1c_ed(&self->ind_cpa_public_key); uint8_t ret[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->public_key_hash, ret, uint8_t, void *); @@ -6880,18 +7257,19 @@ libcrux_ml_kem_ind_cca_unpacked_clone_d7_ab( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_11 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_b1 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 * -libcrux_ml_kem_ind_cca_unpacked_public_key_11_ab( +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 * +libcrux_ml_kem_ind_cca_unpacked_public_key_b1_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -6902,10 +7280,10 @@ libcrux_ml_kem_ind_cca_unpacked_public_key_11_ab( KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *pk) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_d7_ab( - libcrux_ml_kem_ind_cca_unpacked_public_key_11_ab(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *pk) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 uu____0 = + libcrux_ml_kem_ind_cca_unpacked_clone_86_ed( + libcrux_ml_kem_ind_cca_unpacked_public_key_b1_ed(key_pair)); pk[0U] = uu____0; } @@ -6914,9 +7292,9 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key( */ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_serialized_public_key( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *public_key, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_ed(public_key, serialized); + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_ed(public_key, serialized); } /** @@ -6927,20 +7305,23 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.unpack_public_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb( +libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_array_to_subslice_to((size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_ab( - uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->ind_cpa_public_key.t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); uint8_t uu____1[32U]; libcrux_ml_kem_utils_into_padded_array_9e( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, @@ -6949,8 +7330,9 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb( uu____1); memcpy(unpacked_public_key->ind_cpa_public_key.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f6(*uu____2)[3U] = - unpacked_public_key->ind_cpa_public_key.A; + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_f6); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, @@ -6958,14 +7340,12 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb( uint8_t[]), ret); libcrux_ml_kem_matrix_sample_matrix_A_6c(uu____2, ret, false); - uint8_t uu____3[32U]; - libcrux_ml_kem_hash_functions_avx2_H_41_e0( + libcrux_ml_kem_hash_functions_avx2_H_26( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - uu____3); - memcpy(unpacked_public_key->public_key_hash, uu____3, - (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, unpacked_public_key->public_key_hash, + uint8_t)); } /** @@ -6976,16 +7356,17 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.unpack_public_key_avx2 with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_31( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_a5( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_fb(public_key, + libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_6d(public_key, unpacked_public_key); } @@ -6997,16 +7378,17 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.unpacked.unpack_public_key with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_31( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_a5( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_31( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_avx2_a5( public_key, unpacked_public_key); } @@ -7016,13 +7398,13 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_31( KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_unpacked_public_key( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_31( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_a5( public_key, unpacked_public_key); } -typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 +typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_c0 libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768PublicKeyUnpacked; #define libcrux_mlkem768_avx2_H_DEFINED diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_portable.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_portable.h index 1d7d0e02d..61728e023 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem768_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem768_portable_H @@ -20,19 +20,153 @@ #include "libcrux_sha3_portable.h" static inline void libcrux_ml_kem_hash_functions_portable_G( - Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha512(output, input); } static inline void libcrux_ml_kem_hash_functions_portable_H( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice output) { + libcrux_sha3_portable_sha256(output, input); +} + +static inline void libcrux_ml_kem_hash_functions_portable_PRFxN( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(input, uint8_t[33U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_slice_subslice3(outputs, i0 * out_len, + (i0 + (size_t)1U) * out_len, uint8_t *), + Eurydice_array_to_slice( + (size_t)33U, + Eurydice_slice_index(input, i0, uint8_t[33U], uint8_t(*)[33U]), + uint8_t)); + } +} + +typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_s { + libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; +} libcrux_ml_kem_hash_functions_portable_PortableHash; + +static inline libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[4U]; + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init(); + } + for (size_t i = (size_t)0U; i < Eurydice_slice_len(input, uint8_t[34U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &shake128_state[i0], + Eurydice_array_to_slice( + (size_t)34U, + Eurydice_slice_index(input, i0, uint8_t[34U], uint8_t(*)[34U]), + uint8_t)); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_17 copy_of_shake128_state[4U]; + memcpy(copy_of_shake128_state, shake128_state, + (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); + libcrux_ml_kem_hash_functions_portable_PortableHash lit; + memcpy(lit.shake128_state, copy_of_shake128_state, + (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); + return lit; +} + +static inline void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(outputs, uint8_t[504U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( + &st->shake128_state[i0], + Eurydice_array_to_slice( + (size_t)504U, + Eurydice_slice_index(outputs, i0, uint8_t[504U], uint8_t(*)[504U]), + uint8_t)); + } +} + +static inline void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block( + libcrux_ml_kem_hash_functions_portable_PortableHash *st, + Eurydice_slice outputs) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(outputs, uint8_t[168U]); + i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &st->shake128_state[i0], + Eurydice_array_to_slice( + (size_t)168U, + Eurydice_slice_index(outputs, i0, uint8_t[168U], uint8_t(*)[168U]), + uint8_t)); + } +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static inline void libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_G(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static inline void libcrux_ml_kem_hash_functions_portable_H_6e( + Eurydice_slice input, Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_H(input, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static inline void libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_slice input, Eurydice_slice outputs, size_t out_len) { + libcrux_ml_kem_hash_functions_portable_PRFxN(input, outputs, out_len); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash +libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + Eurydice_slice input) { + return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final( + input); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks( + self, output); +} + +/** +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + libcrux_ml_kem_hash_functions_portable_PortableHash *self, + Eurydice_slice output) { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block(self, + output); } static const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] = @@ -90,15 +224,11 @@ typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_s { } libcrux_ml_kem_vector_portable_vector_type_PortableVector; static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_from_i16_array( - Eurydice_slice array) { +libcrux_ml_kem_vector_portable_vector_type_zero(void) { libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; int16_t ret[16U]; - Result_0a dst; - Eurydice_slice_to_array2( - &dst, Eurydice_slice_subslice3(array, (size_t)0U, (size_t)16U, int16_t *), - Eurydice_slice, int16_t[16U], TryFromSliceError); - unwrap_26_00(dst, ret); + int16_t buf[16U] = {0U}; + libcrux_secrets_int_public_integers_classify_27_46(buf, ret); memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); return lit; } @@ -108,9 +238,29 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_from_i16_array_b8(Eurydice_slice array) { - return libcrux_ml_kem_vector_portable_vector_type_from_i16_array( - libcrux_secrets_int_classify_public_classify_ref_9b_39(array)); +libcrux_ml_kem_vector_portable_ZERO_b8(void) { + return libcrux_ml_kem_vector_portable_vector_type_zero(); +} + +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)16U, out->elements, int16_t), + Eurydice_slice_subslice3(array, (size_t)0U, (size_t)16U, int16_t *), + int16_t); +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +static inline void libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice array, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + libcrux_secrets_int_classify_public_classify_ref_9b_39(array), out); } typedef struct int16_t_x8_s { @@ -124,122 +274,131 @@ typedef struct int16_t_x8_s { int16_t f7; } int16_t_x8; -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_vector_type_zero(void) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; - int16_t ret[16U]; - int16_t buf[16U] = {0U}; - libcrux_secrets_int_public_integers_classify_27_46(buf, ret); - memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); - return lit; +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + size_t uu____0 = i0; + lhs->elements[uu____0] = lhs->elements[uu____0] + rhs->elements[i0]; + } } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ZERO_b8(void) { - return libcrux_ml_kem_vector_portable_vector_type_zero(); +static inline void libcrux_ml_kem_vector_portable_add_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { + libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_add( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - lhs.elements[uu____0] = lhs.elements[uu____0] + rhs->elements[i0]; + lhs->elements[uu____0] = lhs->elements[uu____0] - rhs->elements[i0]; } - return lhs; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_add_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, +static inline void libcrux_ml_kem_vector_portable_sub_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); + libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_sub( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, - libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_negate( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - size_t uu____0 = i0; - lhs.elements[uu____0] = lhs.elements[uu____0] - rhs->elements[i0]; + vec->elements[i0] = -vec->elements[i0]; } - return lhs; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_sub_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, - libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); +static inline void libcrux_ml_kem_vector_portable_negate_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_negate(vec); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] * c; + vec->elements[uu____0] = vec->elements[uu____0] * c; } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); +static inline void libcrux_ml_kem_vector_portable_multiply_by_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(vec, c); +} + +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { + size_t i0 = i; + size_t uu____0 = i0; + vec->elements[uu____0] = vec->elements[uu____0] & c; + } +} + +/** +This function found in impl {libcrux_ml_kem::vector::traits::Operations for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +static inline void libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(vec, c); } /** Note: This function is not secret independent Only use with public values. */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; if (libcrux_secrets_int_public_integers_declassify_d8_39( - vec.elements[i0]) >= (int16_t)3329) { + vec->elements[i0]) >= (int16_t)3329) { size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] - (int16_t)3329; + vec->elements[uu____0] = vec->elements[uu____0] - (int16_t)3329; } } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { - return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v); +static inline void libcrux_ml_kem_vector_portable_cond_subtract_3329_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(vec); } #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \ @@ -276,28 +435,26 @@ libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t vi = libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( - vec.elements[i0]); - vec.elements[i0] = vi; + vec->elements[i0]); + vec->elements[i0] = vi; } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector) { - return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(vector); +static inline void libcrux_ml_kem_vector_portable_barrett_reduce_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(vec); } #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U) @@ -360,41 +517,37 @@ libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( product); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = + vec->elements[i0] = libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( - vec.elements[i0], c); + vec->elements[i0], c); } - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +static inline void libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector, - int16_t constant) { - return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( - vector, libcrux_secrets_int_public_integers_classify_27_39(constant)); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t r) { + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( + vec, libcrux_secrets_int_public_integers_classify_27_39(r)); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, int16_t c) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { - size_t i0 = i; - size_t uu____0 = i0; - vec.elements[uu____0] = vec.elements[uu____0] & c; - } - return vec; +/** +This function found in impl {core::clone::Clone for +libcrux_ml_kem::vector::portable::vector_type::PortableVector} +*/ +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_clone_9c( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) { + return self[0U]; } /** @@ -402,26 +555,27 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.arithmetic.shift_right with const generics - SHIFT_BY= 15 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - vec.elements[i0] = vec.elements[i0] >> (uint32_t)(int32_t)15; + size_t uu____0 = i0; + vec->elements[uu____0] = vec->elements[uu____0] >> (uint32_t)(int32_t)15; } - return vec; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_to_unsigned_representative( libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef(a); - libcrux_ml_kem_vector_portable_vector_type_PortableVector fm = - libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_portable_arithmetic_add(a, &fm); + libcrux_ml_kem_vector_portable_vector_type_clone_9c(&a); + libcrux_ml_kem_vector_portable_arithmetic_shift_right_ef(&t); + libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + &t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); + libcrux_ml_kem_vector_portable_arithmetic_add(&a, &t); + return a; } /** @@ -471,27 +625,24 @@ libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( return libcrux_secrets_int_as_u8_f5(r1); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - a.elements[i0] = libcrux_secrets_int_as_i16_59( + a->elements[i0] = libcrux_secrets_int_as_i16_59( libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); } - return a; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_1(a); +static inline void libcrux_ml_kem_vector_portable_compress_1_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_1(a); } static KRML_MUSTINLINE uint32_t @@ -513,29 +664,6 @@ libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( coefficient_bits, libcrux_secrets_int_as_u32_a3(compressed))); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_decompress_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector z = - libcrux_ml_kem_vector_portable_vector_type_zero(); - libcrux_ml_kem_vector_portable_vector_type_PortableVector s = - libcrux_ml_kem_vector_portable_arithmetic_sub(z, &a); - libcrux_ml_kem_vector_portable_vector_type_PortableVector res = - libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( - s, (int16_t)1665); - return res; -} - -/** -This function found in impl {libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::portable::vector_type::PortableVector} -*/ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_decompress_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_decompress_1(a); -} - static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta, size_t i, size_t j) { @@ -549,106 +677,98 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step( vec->elements[i] = a_plus_t; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta3, (size_t)13U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, zeta2, + zeta3); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta1, (size_t)11U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); + libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_ntt_step(vec, zeta, (size_t)7U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); +static inline void libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( @@ -665,107 +785,101 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step( vec->elements[j] = o1; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)0U, (size_t)2U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)1U, (size_t)3U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)4U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)5U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta2, (size_t)8U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta2, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta2, (size_t)9U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)12U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta3, (size_t)12U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta3, (size_t)13U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta3, (size_t)13U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( - a, zeta0, zeta1, zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(a, zeta0, zeta1, + zeta2, zeta3); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta0, int16_t zeta1) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)0U, (size_t)4U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)1U, (size_t)5U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)2U, (size_t)6U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta0, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta0, (size_t)3U, (size_t)7U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)8U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)8U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)9U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)9U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)10U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)10U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta1, (size_t)11U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta1, (size_t)11U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, +static inline void libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, - zeta1); + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, zeta1); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vec, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec, int16_t zeta) { - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)0U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)0U, (size_t)8U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)1U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)1U, (size_t)9U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)2U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)2U, (size_t)10U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)3U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)3U, (size_t)11U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)4U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)4U, (size_t)12U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)5U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)5U, (size_t)13U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)6U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)6U, (size_t)14U); - libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&vec, zeta, (size_t)7U, + libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(vec, zeta, (size_t)7U, (size_t)15U); - return vec; } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); +static inline void libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + int16_t zeta) { + libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } /** @@ -824,89 +938,84 @@ libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( out->elements[(size_t)2U * i + (size_t)1U] = o1; } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_ntt_multiply( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { int16_t nzeta0 = -zeta0; int16_t nzeta1 = -zeta1; int16_t nzeta2 = -zeta2; int16_t nzeta3 = -zeta3; - libcrux_ml_kem_vector_portable_vector_type_PortableVector out = - libcrux_ml_kem_vector_portable_vector_type_zero(); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta0), - (size_t)0U, &out); + (size_t)0U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta0), - (size_t)1U, &out); + (size_t)1U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta1), - (size_t)2U, &out); + (size_t)2U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta1), - (size_t)3U, &out); + (size_t)3U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta2), - (size_t)4U, &out); + (size_t)4U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta2), - (size_t)5U, &out); + (size_t)5U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(zeta3), - (size_t)6U, &out); + (size_t)6U, out); libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( lhs, rhs, libcrux_secrets_int_public_integers_classify_27_39(nzeta3), - (size_t)7U, &out); - return out; + (size_t)7U, out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_ntt_multiply_b8( +static inline void libcrux_ml_kem_vector_portable_ntt_multiply_b8( libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, zeta0, zeta1, - zeta2, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, out, zeta0, zeta1, + zeta2, zeta3); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[2U]) { - uint8_t result0 = - (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[0U]) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[1U]) << 1U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[2U]) << 2U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[3U]) << 3U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[4U]) << 4U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[5U]) << 5U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[6U]) << 6U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[7U]) << 7U; - uint8_t result1 = - (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[8U]) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[9U]) << 1U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[10U]) << 2U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[11U]) << 3U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[12U]) << 4U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[13U]) << 5U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[14U]) << 6U) | - (uint32_t)libcrux_secrets_int_as_u8_f5(v.elements[15U]) << 7U; - ret[0U] = result0; - ret[1U] = result1; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = + libcrux_secrets_int_public_integers_declassify_d8_90( + (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[0U]) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[1U]) << 1U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[2U]) << 2U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[3U]) << 3U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[4U]) << 4U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[5U]) << 5U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[6U]) << 6U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[7U]) << 7U); + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = + libcrux_secrets_int_public_integers_declassify_d8_90( + (((((((uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[8U]) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[9U]) << 1U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[10U]) << 2U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[11U]) << 3U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[12U]) << 4U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[13U]) << 5U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[14U]) << 6U) | + (uint32_t)libcrux_secrets_int_as_u8_f5(v->elements[15U]) << 7U); } static inline void libcrux_ml_kem_vector_portable_serialize_1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - uint8_t ret0[2U]; - libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_d4(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_1(a, out); } /** @@ -914,78 +1023,78 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_1_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[2U]) { - libcrux_ml_kem_vector_portable_serialize_1(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_1(a, out); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { - int16_t result0 = libcrux_secrets_int_as_i16_59( +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_1( + Eurydice_slice v, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + out->elements[0U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) & 1U); - int16_t result1 = libcrux_secrets_int_as_i16_59( + out->elements[1U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 1U & 1U); - int16_t result2 = libcrux_secrets_int_as_i16_59( + out->elements[2U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 2U & 1U); - int16_t result3 = libcrux_secrets_int_as_i16_59( + out->elements[3U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 3U & 1U); - int16_t result4 = libcrux_secrets_int_as_i16_59( + out->elements[4U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 4U & 1U); - int16_t result5 = libcrux_secrets_int_as_i16_59( + out->elements[5U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 5U & 1U); - int16_t result6 = libcrux_secrets_int_as_i16_59( + out->elements[6U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 6U & 1U); - int16_t result7 = libcrux_secrets_int_as_i16_59( + out->elements[7U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *) >> 7U & 1U); - int16_t result8 = libcrux_secrets_int_as_i16_59( + out->elements[8U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) & 1U); - int16_t result9 = libcrux_secrets_int_as_i16_59( + out->elements[9U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 1U & 1U); - int16_t result10 = libcrux_secrets_int_as_i16_59( + out->elements[10U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 2U & 1U); - int16_t result11 = libcrux_secrets_int_as_i16_59( + out->elements[11U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 3U & 1U); - int16_t result12 = libcrux_secrets_int_as_i16_59( + out->elements[12U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 4U & 1U); - int16_t result13 = libcrux_secrets_int_as_i16_59( + out->elements[13U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 5U & 1U); - int16_t result14 = libcrux_secrets_int_as_i16_59( + out->elements[14U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 6U & 1U); - int16_t result15 = libcrux_secrets_int_as_i16_59( + out->elements[15U] = libcrux_secrets_int_as_i16_59( (uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, uint8_t *) >> 7U & 1U); - return (libcrux_ml_kem_vector_portable_vector_type_PortableVector{ - {result0, result1, result2, result3, result4, result5, result6, result7, - result8, result9, result10, result11, result12, result13, result14, - result15}}); } -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_1( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +static inline void libcrux_ml_kem_vector_portable_deserialize_1( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_1( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_1_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_1(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_1(a, out); } typedef struct uint8_t_x4_s { @@ -1017,37 +1126,43 @@ libcrux_ml_kem_vector_portable_serialize_serialize_4_int(Eurydice_slice v) { << 4U | (uint32_t)libcrux_secrets_int_as_u8_f5(Eurydice_slice_index( v, (size_t)6U, int16_t, int16_t *)); - return (uint8_t_x4{result0, result1, result2, result3}); + return (uint8_t_x4{ + libcrux_secrets_int_public_integers_declassify_d8_90(result0), + libcrux_secrets_int_public_integers_declassify_d8_90(result1), + libcrux_secrets_int_public_integers_declassify_d8_90(result2), + libcrux_secrets_int_public_integers_declassify_d8_90(result3)}); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[8U]) { - uint8_t_x4 result0_3 = - libcrux_ml_kem_vector_portable_serialize_serialize_4_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)8U, - int16_t *)); - uint8_t_x4 result4_7 = - libcrux_ml_kem_vector_portable_serialize_serialize_4_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)16U, - int16_t *)); - ret[0U] = result0_3.fst; - ret[1U] = result0_3.snd; - ret[2U] = result0_3.thd; - ret[3U] = result0_3.f3; - ret[4U] = result4_7.fst; - ret[5U] = result4_7.snd; - ret[6U] = result4_7.thd; - ret[7U] = result4_7.f3; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x4 uu____0 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)8U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + uint8_t_x4 uu____4 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)16U, + int16_t *)); + uint8_t uu____5 = uu____4.snd; + uint8_t uu____6 = uu____4.thd; + uint8_t uu____7 = uu____4.f3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4.fst; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; } static inline void libcrux_ml_kem_vector_portable_serialize_4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - uint8_t ret0[8U]; - libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_76(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_4(a, out); } /** @@ -1055,9 +1170,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_4_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[8U]) { - libcrux_ml_kem_vector_portable_serialize_4(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_4(a, out); } static KRML_MUSTINLINE int16_t_x8 @@ -1094,31 +1209,63 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( return (int16_t_x8{v0, v1, v2, v3, v4, v5, v6, v7}); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)4U, uint8_t *)); - int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)8U, uint8_t *)); - return (libcrux_ml_kem_vector_portable_vector_type_PortableVector{ - {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, v0_7.f6, - v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, v8_15.f3, v8_15.f4, v8_15.f5, - v8_15.f6, v8_15.f7}}); -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_4( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_4( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)4U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( + Eurydice_slice_subslice3(bytes, (size_t)4U, (size_t)8U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +static inline void libcrux_ml_kem_vector_portable_deserialize_4( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_4( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_4_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_4(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_4_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_4(a, out); } typedef struct uint8_t_x5_s { @@ -1157,53 +1304,75 @@ libcrux_ml_kem_vector_portable_serialize_serialize_10_int(Eurydice_slice v) { uint8_t r4 = libcrux_secrets_int_as_u8_f5( Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 2U & (int16_t)255); - return (uint8_t_x5{r0, r1, r2, r3, r4}); + return (uint8_t_x5{libcrux_secrets_int_public_integers_declassify_d8_90(r0), + libcrux_secrets_int_public_integers_declassify_d8_90(r1), + libcrux_secrets_int_public_integers_declassify_d8_90(r2), + libcrux_secrets_int_public_integers_declassify_d8_90(r3), + libcrux_secrets_int_public_integers_declassify_d8_90(r4)}); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[20U]) { - uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)4U, - int16_t *)); - uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)4U, (size_t)8U, - int16_t *)); - uint8_t_x5 r10_14 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)12U, - int16_t *)); - uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice3(v.elements, (size_t)12U, (size_t)16U, - int16_t *)); - ret[0U] = r0_4.fst; - ret[1U] = r0_4.snd; - ret[2U] = r0_4.thd; - ret[3U] = r0_4.f3; - ret[4U] = r0_4.f4; - ret[5U] = r5_9.fst; - ret[6U] = r5_9.snd; - ret[7U] = r5_9.thd; - ret[8U] = r5_9.f3; - ret[9U] = r5_9.f4; - ret[10U] = r10_14.fst; - ret[11U] = r10_14.snd; - ret[12U] = r10_14.thd; - ret[13U] = r10_14.f3; - ret[14U] = r10_14.f4; - ret[15U] = r15_19.fst; - ret[16U] = r15_19.snd; - ret[17U] = r15_19.thd; - ret[18U] = r15_19.f3; - ret[19U] = r15_19.f4; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x5 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)4U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + uint8_t uu____3 = uu____0.f3; + uint8_t uu____4 = uu____0.f4; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + uint8_t_x5 uu____5 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)4U, (size_t)8U, + int16_t *)); + uint8_t uu____6 = uu____5.snd; + uint8_t uu____7 = uu____5.thd; + uint8_t uu____8 = uu____5.f3; + uint8_t uu____9 = uu____5.f4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5.fst; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9; + uint8_t_x5 uu____10 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)12U, + int16_t *)); + uint8_t uu____11 = uu____10.snd; + uint8_t uu____12 = uu____10.thd; + uint8_t uu____13 = uu____10.f3; + uint8_t uu____14 = uu____10.f4; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10.fst; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + uint8_t_x5 uu____15 = + libcrux_ml_kem_vector_portable_serialize_serialize_10_int( + Eurydice_array_to_subslice3(v->elements, (size_t)12U, (size_t)16U, + int16_t *)); + uint8_t uu____16 = uu____15.snd; + uint8_t uu____17 = uu____15.thd; + uint8_t uu____18 = uu____15.f3; + uint8_t uu____19 = uu____15.f4; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15.fst; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; } static inline void libcrux_ml_kem_vector_portable_serialize_10( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - uint8_t ret0[20U]; - libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_57(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_10(a, out); } /** @@ -1211,9 +1380,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_10_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[20U]) { - libcrux_ml_kem_vector_portable_serialize_10(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_10(a, out); } static KRML_MUSTINLINE int16_t_x8 @@ -1284,32 +1453,63 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( return (int16_t_x8{r0, r1, r2, r3, r4, r5, r6, r7}); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { - int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)10U, uint8_t *)); - int16_t_x8 v8_15 = +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_10( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x8 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)10U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + int16_t uu____2 = uu____0.thd; + int16_t uu____3 = uu____0.f3; + int16_t uu____4 = uu____0.f4; + int16_t uu____5 = uu____0.f5; + int16_t uu____6 = uu____0.f6; + int16_t uu____7 = uu____0.f7; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + out->elements[2U] = uu____2; + out->elements[3U] = uu____3; + out->elements[4U] = uu____4; + out->elements[5U] = uu____5; + out->elements[6U] = uu____6; + out->elements[7U] = uu____7; + int16_t_x8 uu____8 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice_subslice3(bytes, (size_t)10U, (size_t)20U, uint8_t *)); - return (libcrux_ml_kem_vector_portable_vector_type_PortableVector{ - {v0_7.fst, v0_7.snd, v0_7.thd, v0_7.f3, v0_7.f4, v0_7.f5, v0_7.f6, - v0_7.f7, v8_15.fst, v8_15.snd, v8_15.thd, v8_15.f3, v8_15.f4, v8_15.f5, - v8_15.f6, v8_15.f7}}); -} - -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_10( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); + int16_t uu____9 = uu____8.snd; + int16_t uu____10 = uu____8.thd; + int16_t uu____11 = uu____8.f3; + int16_t uu____12 = uu____8.f4; + int16_t uu____13 = uu____8.f5; + int16_t uu____14 = uu____8.f6; + int16_t uu____15 = uu____8.f7; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + out->elements[10U] = uu____10; + out->elements[11U] = uu____11; + out->elements[12U] = uu____12; + out->elements[13U] = uu____13; + out->elements[14U] = uu____14; + out->elements[15U] = uu____15; +} + +static inline void libcrux_ml_kem_vector_portable_deserialize_10( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_10( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_10_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_10(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_10_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_10(a, out); } typedef struct uint8_t_x3_s { @@ -1329,69 +1529,93 @@ libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) { uint8_t r2 = libcrux_secrets_int_as_u8_f5( Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U & (int16_t)255); - return (uint8_t_x3{r0, r1, r2}); + return (uint8_t_x3{libcrux_secrets_int_public_integers_declassify_d8_90(r0), + libcrux_secrets_int_public_integers_declassify_d8_90(r1), + libcrux_secrets_int_public_integers_declassify_d8_90(r2)}); } static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v, - uint8_t ret[24U]) { - uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)0U, (size_t)2U, - int16_t *)); - uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)2U, (size_t)4U, - int16_t *)); - uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)4U, (size_t)6U, - int16_t *)); - uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)6U, (size_t)8U, - int16_t *)); - uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)8U, (size_t)10U, - int16_t *)); - uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)10U, (size_t)12U, - int16_t *)); - uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)12U, (size_t)14U, - int16_t *)); - uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice3(v.elements, (size_t)14U, (size_t)16U, - int16_t *)); - ret[0U] = r0_2.fst; - ret[1U] = r0_2.snd; - ret[2U] = r0_2.thd; - ret[3U] = r3_5.fst; - ret[4U] = r3_5.snd; - ret[5U] = r3_5.thd; - ret[6U] = r6_8.fst; - ret[7U] = r6_8.snd; - ret[8U] = r6_8.thd; - ret[9U] = r9_11.fst; - ret[10U] = r9_11.snd; - ret[11U] = r9_11.thd; - ret[12U] = r12_14.fst; - ret[13U] = r12_14.snd; - ret[14U] = r12_14.thd; - ret[15U] = r15_17.fst; - ret[16U] = r15_17.snd; - ret[17U] = r15_17.thd; - ret[18U] = r18_20.fst; - ret[19U] = r18_20.snd; - ret[20U] = r18_20.thd; - ret[21U] = r21_23.fst; - ret[22U] = r21_23.snd; - ret[23U] = r21_23.thd; + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, + Eurydice_slice out) { + uint8_t_x3 uu____0 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)0U, (size_t)2U, + int16_t *)); + uint8_t uu____1 = uu____0.snd; + uint8_t uu____2 = uu____0.thd; + Eurydice_slice_index(out, (size_t)0U, uint8_t, uint8_t *) = uu____0.fst; + Eurydice_slice_index(out, (size_t)1U, uint8_t, uint8_t *) = uu____1; + Eurydice_slice_index(out, (size_t)2U, uint8_t, uint8_t *) = uu____2; + uint8_t_x3 uu____3 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)2U, (size_t)4U, + int16_t *)); + uint8_t uu____4 = uu____3.snd; + uint8_t uu____5 = uu____3.thd; + Eurydice_slice_index(out, (size_t)3U, uint8_t, uint8_t *) = uu____3.fst; + Eurydice_slice_index(out, (size_t)4U, uint8_t, uint8_t *) = uu____4; + Eurydice_slice_index(out, (size_t)5U, uint8_t, uint8_t *) = uu____5; + uint8_t_x3 uu____6 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)4U, (size_t)6U, + int16_t *)); + uint8_t uu____7 = uu____6.snd; + uint8_t uu____8 = uu____6.thd; + Eurydice_slice_index(out, (size_t)6U, uint8_t, uint8_t *) = uu____6.fst; + Eurydice_slice_index(out, (size_t)7U, uint8_t, uint8_t *) = uu____7; + Eurydice_slice_index(out, (size_t)8U, uint8_t, uint8_t *) = uu____8; + uint8_t_x3 uu____9 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)6U, (size_t)8U, + int16_t *)); + uint8_t uu____10 = uu____9.snd; + uint8_t uu____11 = uu____9.thd; + Eurydice_slice_index(out, (size_t)9U, uint8_t, uint8_t *) = uu____9.fst; + Eurydice_slice_index(out, (size_t)10U, uint8_t, uint8_t *) = uu____10; + Eurydice_slice_index(out, (size_t)11U, uint8_t, uint8_t *) = uu____11; + uint8_t_x3 uu____12 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)8U, (size_t)10U, + int16_t *)); + uint8_t uu____13 = uu____12.snd; + uint8_t uu____14 = uu____12.thd; + Eurydice_slice_index(out, (size_t)12U, uint8_t, uint8_t *) = uu____12.fst; + Eurydice_slice_index(out, (size_t)13U, uint8_t, uint8_t *) = uu____13; + Eurydice_slice_index(out, (size_t)14U, uint8_t, uint8_t *) = uu____14; + uint8_t_x3 uu____15 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)10U, (size_t)12U, + int16_t *)); + uint8_t uu____16 = uu____15.snd; + uint8_t uu____17 = uu____15.thd; + Eurydice_slice_index(out, (size_t)15U, uint8_t, uint8_t *) = uu____15.fst; + Eurydice_slice_index(out, (size_t)16U, uint8_t, uint8_t *) = uu____16; + Eurydice_slice_index(out, (size_t)17U, uint8_t, uint8_t *) = uu____17; + uint8_t_x3 uu____18 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)12U, (size_t)14U, + int16_t *)); + uint8_t uu____19 = uu____18.snd; + uint8_t uu____20 = uu____18.thd; + Eurydice_slice_index(out, (size_t)18U, uint8_t, uint8_t *) = uu____18.fst; + Eurydice_slice_index(out, (size_t)19U, uint8_t, uint8_t *) = uu____19; + Eurydice_slice_index(out, (size_t)20U, uint8_t, uint8_t *) = uu____20; + uint8_t_x3 uu____21 = + libcrux_ml_kem_vector_portable_serialize_serialize_12_int( + Eurydice_array_to_subslice3(v->elements, (size_t)14U, (size_t)16U, + int16_t *)); + uint8_t uu____22 = uu____21.snd; + uint8_t uu____23 = uu____21.thd; + Eurydice_slice_index(out, (size_t)21U, uint8_t, uint8_t *) = uu____21.fst; + Eurydice_slice_index(out, (size_t)22U, uint8_t, uint8_t *) = uu____22; + Eurydice_slice_index(out, (size_t)23U, uint8_t, uint8_t *) = uu____23; } static inline void libcrux_ml_kem_vector_portable_serialize_12( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - uint8_t ret0[24U]; - libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret0); - libcrux_secrets_int_public_integers_declassify_d8_d2(ret0, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_serialize_12(a, out); } /** @@ -1399,9 +1623,9 @@ This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ static inline void libcrux_ml_kem_vector_portable_serialize_12_b8( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - uint8_t ret[24U]) { - libcrux_ml_kem_vector_portable_serialize_12(a, ret); + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + Eurydice_slice out) { + libcrux_ml_kem_vector_portable_serialize_12(a, out); } typedef struct int16_t_x2_s { @@ -1423,46 +1647,75 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( return (int16_t_x2{r0, r1}); } -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { - int16_t_x2 v0_1 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)3U, uint8_t *)); - int16_t_x2 v2_3 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)3U, (size_t)6U, uint8_t *)); - int16_t_x2 v4_5 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)6U, (size_t)9U, uint8_t *)); - int16_t_x2 v6_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)9U, (size_t)12U, uint8_t *)); - int16_t_x2 v8_9 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice3(bytes, (size_t)12U, (size_t)15U, uint8_t *)); - int16_t_x2 v10_11 = +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_portable_serialize_deserialize_12( + Eurydice_slice bytes, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + int16_t_x2 uu____0 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)0U, (size_t)3U, uint8_t *)); + int16_t uu____1 = uu____0.snd; + out->elements[0U] = uu____0.fst; + out->elements[1U] = uu____1; + int16_t_x2 uu____2 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)3U, (size_t)6U, uint8_t *)); + int16_t uu____3 = uu____2.snd; + out->elements[2U] = uu____2.fst; + out->elements[3U] = uu____3; + int16_t_x2 uu____4 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)6U, (size_t)9U, uint8_t *)); + int16_t uu____5 = uu____4.snd; + out->elements[4U] = uu____4.fst; + out->elements[5U] = uu____5; + int16_t_x2 uu____6 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)9U, (size_t)12U, uint8_t *)); + int16_t uu____7 = uu____6.snd; + out->elements[6U] = uu____6.fst; + out->elements[7U] = uu____7; + int16_t_x2 uu____8 = + libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( + Eurydice_slice_subslice3(bytes, (size_t)12U, (size_t)15U, uint8_t *)); + int16_t uu____9 = uu____8.snd; + out->elements[8U] = uu____8.fst; + out->elements[9U] = uu____9; + int16_t_x2 uu____10 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)15U, (size_t)18U, uint8_t *)); - int16_t_x2 v12_13 = + int16_t uu____11 = uu____10.snd; + out->elements[10U] = uu____10.fst; + out->elements[11U] = uu____11; + int16_t_x2 uu____12 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)18U, (size_t)21U, uint8_t *)); - int16_t_x2 v14_15 = + int16_t uu____13 = uu____12.snd; + out->elements[12U] = uu____12.fst; + out->elements[13U] = uu____13; + int16_t_x2 uu____14 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice_subslice3(bytes, (size_t)21U, (size_t)24U, uint8_t *)); - return (libcrux_ml_kem_vector_portable_vector_type_PortableVector{ - {v0_1.fst, v0_1.snd, v2_3.fst, v2_3.snd, v4_5.fst, v4_5.snd, v6_7.fst, - v6_7.snd, v8_9.fst, v8_9.snd, v10_11.fst, v10_11.snd, v12_13.fst, - v12_13.snd, v14_15.fst, v14_15.snd}}); + int16_t uu____15 = uu____14.snd; + out->elements[14U] = uu____14.fst; + out->elements[15U] = uu____15; } -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_serialize_deserialize_12( - libcrux_secrets_int_classify_public_classify_ref_9b_90(a)); +static inline void libcrux_ml_kem_vector_portable_deserialize_12( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_serialize_deserialize_12( + libcrux_secrets_int_classify_public_classify_ref_9b_90(a), out); } /** This function found in impl {libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::portable::vector_type::PortableVector} */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_deserialize_12_b8(Eurydice_slice a) { - return libcrux_ml_kem_vector_portable_deserialize_12(a); +static inline void libcrux_ml_kem_vector_portable_deserialize_12_b8( + Eurydice_slice a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_deserialize_12(a, out); } static KRML_MUSTINLINE size_t @@ -1472,8 +1725,8 @@ libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a, for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U; i++) { size_t i0 = i; - int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U, - uint8_t, uint8_t *); + int16_t b1 = + (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U, uint8_t, uint8_t *); int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U, uint8_t, uint8_t *); int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U, @@ -1558,10 +1811,19 @@ typedef libcrux_ml_kem_types_MlKemPrivateKey_d9 typedef libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_MlKem768PublicKey; +#define LIBCRUX_ML_KEM_MLKEM768_PRF_OUTPUT_SIZE1 \ + (LIBCRUX_ML_KEM_MLKEM768_ETA1_RANDOMNESS_SIZE * LIBCRUX_ML_KEM_MLKEM768_RANK) + +#define LIBCRUX_ML_KEM_MLKEM768_PRF_OUTPUT_SIZE2 \ + (LIBCRUX_ML_KEM_MLKEM768_ETA2_RANDOMNESS_SIZE * LIBCRUX_ML_KEM_MLKEM768_RANK) + #define LIBCRUX_ML_KEM_MLKEM768_RANKED_BYTES_PER_RING_ELEMENT \ (LIBCRUX_ML_KEM_MLKEM768_RANK * \ LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U) +#define LIBCRUX_ML_KEM_MLKEM768_RANK_SQUARED \ + (LIBCRUX_ML_KEM_MLKEM768_RANK * LIBCRUX_ML_KEM_MLKEM768_RANK) + #define LIBCRUX_ML_KEM_MLKEM768_SECRET_KEY_SIZE \ (LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_SECRET_KEY_SIZE + \ LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_PUBLIC_KEY_SIZE + \ @@ -1577,16 +1839,6 @@ typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_1d_s { libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients[16U]; } libcrux_ml_kem_polynomial_PolynomialRingElement_1d; -/** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- $3size_t -*/ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0; - /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1599,7 +1851,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ZERO_d6_ea(void) { +libcrux_ml_kem_polynomial_ZERO_d6_df(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector repeat_expression[16U]; @@ -1612,6 +1864,16 @@ libcrux_ml_kem_polynomial_ZERO_d6_ea(void) { return lit; } +/** +A monomorphic instance of +libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +- $3size_t +*/ +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0_s { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d secret_as_ntt[3U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0; + /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, @@ -1631,7 +1893,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_42(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -1640,22 +1902,19 @@ libcrux_ml_kem.serialize.deserialize_to_uncompressed_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes, + &re->coefficients[i0]); } - return re; } /** @@ -1668,41 +1927,42 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_vector_1b( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt) { + Eurydice_slice secret_key, Eurydice_slice secret_as_ntt) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_ea( - Eurydice_slice_subslice3( - secret_key, - i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *)); - secret_as_ntt[i0] = uu____0; + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_df( + Eurydice_slice_subslice3( + secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *), + &Eurydice_slice_index( + secret_as_ntt, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for -libcrux_ml_kem::ind_cpa::deserialize_then_decompress_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@1]> for libcrux_ml_kem::ind_cpa::decrypt_unpacked::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.call_mut_35 with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics +A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked.call_mut_68 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 +- VECTOR_U_ENCODED_SIZE= 960 - U_COMPRESSION_FACTOR= 10 +- V_COMPRESSION_FACTOR= 4 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_6c( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); +libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_42(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -1711,22 +1971,21 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10); decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -1739,10 +1998,10 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 10 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +static inline void libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( a); } @@ -1752,25 +2011,21 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_10 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_then_decompress_10_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_10_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_10_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_ef( - coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_10_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_ef( + &re->coefficients[i0]); } - return re; } /** @@ -1779,16 +2034,25 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_ea(serialized); + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_10_df(serialized, + output); } -typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2_s { - libcrux_ml_kem_vector_portable_vector_type_PortableVector fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector snd; -} libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2; +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.montgomery_multiply_fe +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_kem_vector_traits_montgomery_multiply_fe_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t fer) { + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8(v, fer); +} /** A monomorphic instance of libcrux_ml_kem.ntt.ntt_layer_int_vec_step @@ -1796,18 +2060,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - libcrux_ml_kem_vector_portable_vector_type_PortableVector b, - int16_t zeta_r) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8(b, - zeta_r); - b = libcrux_ml_kem_vector_portable_sub_b8(a, &t); - a = libcrux_ml_kem_vector_portable_add_b8(a, &t); - return (libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2{a, b}); +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_layer_int_vec_step_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *coefficients, + size_t a, size_t b, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + int16_t zeta_r) { + scratch[0U] = coefficients[b]; + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_df(scratch, zeta_r); + coefficients[b] = coefficients[a]; + libcrux_ml_kem_vector_portable_add_b8(&coefficients[a], scratch); + libcrux_ml_kem_vector_portable_sub_b8(&coefficients[b], scratch); } /** @@ -1816,26 +2078,23 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, - size_t layer, size_t _initial_coefficient_bound) { + size_t layer, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = step / (size_t)16U; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = offset / (size_t)16U; - size_t step_vec = step / (size_t)16U; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_ea( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_ntt_ntt_layer_int_vec_step_df( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -1846,17 +2105,14 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( - re->coefficients[round], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - re->coefficients[round] = uu____0; + libcrux_ml_kem_vector_portable_ntt_layer_3_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -1866,16 +2122,15 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U)); + libcrux_ml_kem_vector_portable_ntt_layer_2_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U)); zeta_i[0U] = zeta_i[0U] + (size_t)1U; } } @@ -1886,18 +2141,17 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U)); + libcrux_ml_kem_vector_portable_ntt_layer_1_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)1U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)2U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] + (size_t)3U)); zeta_i[0U] = zeta_i[0U] + (size_t)3U; } } @@ -1908,15 +2162,12 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_barrett_reduce_b8( - myself->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[i0]); } } @@ -1931,9 +2182,9 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { - libcrux_ml_kem_polynomial_poly_barrett_reduce_ea(self); + libcrux_ml_kem_polynomial_poly_barrett_reduce_df(self); } /** @@ -1943,20 +2194,21 @@ with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_0a( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t zeta_i = (size_t)0U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)7U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)7U, scratch, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch, (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch, (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)4U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)4U, scratch, (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_ea(&zeta_i, re, (size_t)5U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_ea(&zeta_i, re, (size_t)6U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_ea(&zeta_i, re, (size_t)7U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea(re); + libcrux_ml_kem_ntt_ntt_at_layer_3_df(&zeta_i, re, (size_t)5U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_df(&zeta_i, re, (size_t)6U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_df(&zeta_i, re, (size_t)7U * (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df(re); } /** @@ -1973,16 +2225,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - u_as_ntt[i] = - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_call_mut_35_6c( - &lvalue, i); - } + uint8_t *ciphertext, Eurydice_slice u_as_ntt, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -2000,14 +2244,17 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, uint8_t *); - u_as_ntt[i0] = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a( - u_bytes); - libcrux_ml_kem_ntt_ntt_vector_u_0a(&u_as_ntt[i0]); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_0a( + u_bytes, + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + libcrux_ml_kem_ntt_ntt_vector_u_0a( + &Eurydice_slice_index( + u_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } - memcpy( - ret, u_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -2016,22 +2263,21 @@ libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int32_t decompressed = - libcrux_secrets_int_as_i32_f5(a.elements[i0]) * + libcrux_secrets_int_as_i32_f5(a->elements[i0]) * libcrux_secrets_int_as_i32_f5( libcrux_secrets_int_public_integers_classify_27_39( LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4); decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1); - a.elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); + a->elements[i0] = libcrux_secrets_int_as_i16_36(decompressed); } - return a; } /** @@ -2044,10 +2290,10 @@ libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_b8 with const generics - COEFFICIENT_BITS= 4 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +static inline void libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( a); } @@ -2057,24 +2303,20 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_then_decompress_4_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_4_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_4_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_d1( - coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_4_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_b8_d1( + &re->coefficients[i0]); } - return re; } /** @@ -2084,30 +2326,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 - COMPRESSION_FACTOR= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d +static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89( - Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_ea(serialized); -} - -/** -A monomorphic instance of libcrux_ml_kem.polynomial.ZERO -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics - -*/ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ZERO_ea(void) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - repeat_expression[16U]; - for (size_t i = (size_t)0U; i < (size_t)16U; i++) { - repeat_expression[i] = libcrux_ml_kem_vector_portable_ZERO_b8(); - } - memcpy(lit.coefficients, repeat_expression, - (size_t)16U * - sizeof(libcrux_ml_kem_vector_portable_vector_type_PortableVector)); - return lit; + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *output) { + libcrux_ml_kem_serialize_deserialize_then_decompress_4_df(serialized, output); } /** @@ -2143,28 +2366,24 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ntt_multiply_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d out = - libcrux_ml_kem_polynomial_ZERO_ea(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_ntt_multiply_b8( - &myself->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0), - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)1U), - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)2U), - libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + - (size_t)3U)); - out.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_ntt_multiply_b8( + &myself->coefficients[i0], &rhs->coefficients[i0], + &out->coefficients[i0], + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0), + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + + (size_t)1U), + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + + (size_t)2U), + libcrux_ml_kem_polynomial_zeta((size_t)64U + (size_t)4U * i0 + + (size_t)3U)); } - return out; } /** @@ -2178,11 +2397,11 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_ntt_multiply_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_ntt_multiply_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs) { - return libcrux_ml_kem_polynomial_ntt_multiply_ea(self, rhs); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *rhs, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { + libcrux_ml_kem_polynomial_ntt_multiply_df(self, rhs, out); } /** @@ -2206,10 +2425,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_1b( libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &rhs->coefficients[i0]); - myself->coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[i0], + &rhs->coefficients[i0]); } } @@ -2236,17 +2453,16 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); + libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)2U), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)3U)); zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -2257,15 +2473,14 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - re->coefficients[round] = - libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( - re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), - libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); + libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U]), + libcrux_ml_kem_polynomial_zeta(zeta_i[0U] - (size_t)1U)); zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -2276,16 +2491,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( - re->coefficients[round], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - re->coefficients[round] = uu____0; + libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_b8( + &re->coefficients[round], libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } @@ -2295,19 +2507,21 @@ libcrux_ml_kem.invert_ntt.inv_ntt_layer_int_vec_step_reduce with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a, - libcrux_ml_kem_vector_portable_vector_type_PortableVector b, - int16_t zeta_r) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b = - libcrux_ml_kem_vector_portable_sub_b8(b, &a); - a = libcrux_ml_kem_vector_portable_barrett_reduce_b8( - libcrux_ml_kem_vector_portable_add_b8(a, &b)); - b = libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - a_minus_b, zeta_r); - return (libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2{a, b}); +static KRML_MUSTINLINE void +libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *coefficients, + size_t a, size_t b, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch, + int16_t zeta_r) { + scratch->coefficients[0U] = coefficients[a]; + scratch->coefficients[1U] = coefficients[b]; + libcrux_ml_kem_vector_portable_add_b8(&coefficients[a], + &scratch->coefficients[1U]); + libcrux_ml_kem_vector_portable_sub_b8(&coefficients[b], + scratch->coefficients); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&coefficients[a]); + libcrux_ml_kem_vector_traits_montgomery_multiply_fe_df(&coefficients[b], + zeta_r); } /** @@ -2317,28 +2531,22 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, - size_t layer) { + size_t layer, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t step = (size_t)1U << (uint32_t)layer; + size_t step_vec = + step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { size_t round = i0; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = - offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - size_t step_vec = - step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { + size_t a_offset = round * (size_t)2U * step_vec; + size_t b_offset = a_offset + step_vec; + for (size_t i = (size_t)0U; i < step_vec; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 = - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_ea( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); - libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; + libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_df( + re->coefficients, a_offset + j, b_offset + j, scratch, + libcrux_ml_kem_polynomial_zeta(zeta_i[0U])); } } } @@ -2350,21 +2558,22 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_ea(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_ea(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_ea(&zeta_i, re); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)4U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)5U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)6U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_ea(&zeta_i, re, - (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea(re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_df(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_df(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_df(&zeta_i, re); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)4U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)5U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)6U, scratch); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_df(&zeta_i, re, + (size_t)7U, scratch); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df(re); } /** @@ -2373,25 +2582,19 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_subtract_reduce_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - b.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector diff = - libcrux_ml_kem_vector_portable_sub_b8(myself->coefficients[i0], - &coefficient_normal_form); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(diff); - b.coefficients[i0] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &b->coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_portable_sub_b8(&b->coefficients[i0], + &myself->coefficients[i0]); + libcrux_ml_kem_vector_portable_negate_b8(&b->coefficients[i0]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&b->coefficients[i0]); } - return b; } /** @@ -2405,17 +2608,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_subtract_reduce_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_subtract_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d b) { - return libcrux_ml_kem_polynomial_subtract_reduce_ea(self, b); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *b) { + libcrux_ml_kem_polynomial_subtract_reduce_df(self, b); } /** - The following functions compute various expressions involving - vectors and matrices. The computation of these expressions has been - abstracted away into these functions in order to save on loop iterations. Compute v − InverseNTT(sᵀ ◦ NTT(u)) */ /** @@ -2424,22 +2623,20 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_matrix_compute_message_1b( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_message_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *v, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(&secret_as_ntt[i0], - &u_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df(&secret_as_ntt[i0], + &u_as_ntt[i0], scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result); - return libcrux_ml_kem_polynomial_subtract_reduce_d6_ea(v, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(result, scratch); + libcrux_ml_kem_polynomial_subtract_reduce_d6_df(v, result); } /** @@ -2448,10 +2645,13 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_to_unsigned_representative_b8(a); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_to_unsigned_field_modulus_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable_to_unsigned_representative_b8(a[0U]); + out[0U] = uu____0; } /** @@ -2461,26 +2661,20 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, uint8_t ret[32U]) { - uint8_t serialized[32U] = {0U}; +libcrux_ml_kem_serialize_compress_then_serialize_message_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re.coefficients[i0]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_compressed = - libcrux_ml_kem_vector_portable_compress_1_b8(coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector_portable_serialize_1_b8(coefficient_compressed, - bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, uint8_t *), - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_compress_1_b8(scratch); + libcrux_ml_kem_vector_portable_serialize_1_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *)); } - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } /** @@ -2519,20 +2713,33 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_42( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *secret_key, - uint8_t *ciphertext, uint8_t ret[32U]) { + uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c(ciphertext, u_as_ntt); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u_as_ntt[i] = + libcrux_ml_kem_ind_cpa_decrypt_unpacked_call_mut_68_42(&lvalue, i); + } + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_6c( + ciphertext, + Eurydice_array_to_slice( + (size_t)3U, u_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89( - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - uint8_t[])); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_89( + Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, + uint8_t, size_t, uint8_t[]), + &v); libcrux_ml_kem_polynomial_PolynomialRingElement_1d message = - libcrux_ml_kem_matrix_compute_message_1b(&v, secret_key->secret_as_ntt, - u_as_ntt); - uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_ea(message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_matrix_compute_message_1b(&v, secret_key->secret_as_ntt, + u_as_ntt, &message, scratch); + libcrux_ml_kem_serialize_compress_then_serialize_message_df( + &message, decrypted, scratch->coefficients); } /** @@ -2546,66 +2753,91 @@ with const generics - V_COMPRESSION_FACTOR= 4 */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_42( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { + Eurydice_slice secret_key, uint8_t *ciphertext, Eurydice_slice decrypted, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 secret_key_unpacked; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_42(&lvalue, i); + ret[i] = libcrux_ml_kem_ind_cpa_decrypt_call_mut_0b_42(&lvalue, i); } memcpy( - secret_key_unpacked.secret_as_ntt, ret0, + secret_key_unpacked.secret_as_ntt, ret, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); libcrux_ml_kem_ind_cpa_deserialize_vector_1b( - secret_key, secret_key_unpacked.secret_as_ntt); - uint8_t ret1[32U]; + secret_key, Eurydice_array_to_slice( + (size_t)3U, secret_key_unpacked.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); libcrux_ml_kem_ind_cpa_decrypt_unpacked_42(&secret_key_unpacked, ciphertext, - ret1); - memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); + decrypted, scratch); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.G_4a +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF with const generics -- K= 3 +- LEN= 32 */ -static inline void libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_slice input, uint8_t ret[64U]) { - libcrux_ml_kem_hash_functions_portable_G(input, ret); +static inline void libcrux_ml_kem_hash_functions_portable_PRF_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} +*/ +/** +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_6e with const generics - LEN= 32 */ -static inline void libcrux_ml_kem_hash_functions_portable_PRF_9e( - Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); +static inline void libcrux_ml_kem_hash_functions_portable_PRF_6e_9e( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PRF_9e(input, out); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate.call_mut_5f +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics - K= 3 -- LEN= 32 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static inline void libcrux_ml_kem_hash_functions_portable_PRF_4a_41( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_portable_PRF_9e(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_d7(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -2613,49 +2845,45 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.IndCpaPublicKeyUnpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0_s { +typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be_s { libcrux_ml_kem_polynomial_PolynomialRingElement_1d t_as_ntt[3U]; uint8_t seed_for_A[32U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; -} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; +} libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be; /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_8b +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.default_50 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(void) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be +libcrux_ml_kem_ind_cpa_unpacked_default_50_89(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_ea(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_df(); } uint8_t uu____1[32U] = {0U}; - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression0[3U][3U]; - for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_ea(); - } - memcpy(repeat_expression0[i0], repeat_expression, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_df(); } - memcpy(lit.A, repeat_expression0, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + memcpy( + lit.A, repeat_expression, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); return lit; } @@ -2671,28 +2899,27 @@ libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ea( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_df( + Eurydice_slice serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice3(serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t *); - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_cond_subtract_3329_b8(coefficient); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_12_b8(bytes, + &re->coefficients[i0]); + libcrux_ml_kem_vector_portable_cond_subtract_3329_b8(&re->coefficients[i0]); } - return re; } /** - See [deserialize_ring_elements_reduced_out]. + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. */ /** A monomorphic instance of @@ -2702,8 +2929,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *deserialized_pk) { + Eurydice_slice public_key, Eurydice_slice deserialized_pk) { for (size_t i = (size_t)0U; i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2714,100 +2940,13 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t *); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ea( - ring_element); - deserialized_pk[i0] = uu____0; - } -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PortableHash -with const generics -- $3size_t -*/ -typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_88_s { - libcrux_sha3_generic_keccak_KeccakState_17 shake128_state[3U]; -} libcrux_ml_kem_hash_functions_portable_PortableHash_88; - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final with const -generics -- K= 3 -*/ -static inline libcrux_ml_kem_hash_functions_portable_PortableHash_88 -libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0( - uint8_t (*input)[34U]) { - libcrux_ml_kem_hash_functions_portable_PortableHash_88 shake128_state; - libcrux_sha3_generic_keccak_KeccakState_17 repeat_expression[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_sha3_portable_incremental_shake128_init(); - } - memcpy(shake128_state.shake128_state, repeat_expression, - (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_17)); - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state.shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t)); - } - return shake128_state; -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_final_4a with const -generics -- K= 3 -*/ -static inline libcrux_ml_kem_hash_functions_portable_PortableHash_88 -libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_4a_e0( - uint8_t (*input)[34U]) { - return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_e0( - input); -} - -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks with -const generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st, - uint8_t ret[3U][504U]) { - uint8_t out[3U][504U] = {{0U}}; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t)); + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_df( + ring_element, + &Eurydice_slice_index( + deserialized_pk, i0, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_first_three_blocks_4a -with const generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_4a_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self, - uint8_t ret[3U][504U]) { - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_e0( - self, ret); } /** @@ -2860,32 +2999,41 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( - uint8_t (*randomness)[504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[504U], uint8_t(*)[504U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -2894,44 +3042,6 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( return done; } -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block with const -generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *st, - uint8_t ret[3U][168U]) { - uint8_t out[3U][168U] = {{0U}}; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t)); - } - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.hash_functions.portable.shake128_squeeze_next_block_4a with const -generics -- K= 3 -*/ -static inline void -libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_4a_e0( - libcrux_ml_kem_hash_functions_portable_PortableHash_88 *self, - uint8_t ret[3U][168U]) { - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_e0(self, - ret); -} - /** If `bytes` contains a set of uniformly random bytes, this function uniformly samples a ring element `â` that is treated as being the NTT @@ -2982,32 +3092,41 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( - uint8_t (*randomness)[168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { + Eurydice_slice randomness, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { size_t r = i; - if (sampled_coefficients[i1] < + if (Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *) < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + uint8_t *randomness_i = Eurydice_slice_index( + randomness, i1, uint8_t[168U], uint8_t(*)[168U]); + int16_t *out_i = + Eurydice_slice_index(out, i1, int16_t[272U], int16_t(*)[272U]); + size_t sampled_coefficients_i = + Eurydice_slice_index(sampled_coefficients, i1, size_t, size_t *); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_b8( - Eurydice_array_to_subslice3(randomness[i1], r * (size_t)24U, + Eurydice_array_to_subslice3(randomness_i, r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t *), - Eurydice_array_to_subslice3(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, + Eurydice_array_to_subslice3(out_i, sampled_coefficients_i, + sampled_coefficients_i + (size_t)16U, int16_t *)); size_t uu____0 = i1; - sampled_coefficients[uu____0] = sampled_coefficients[uu____0] + sampled; + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, size_t *) = + Eurydice_slice_index(sampled_coefficients, uu____0, size_t, + size_t *) + + sampled; } } } bool done = true; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - if (sampled_coefficients[i0] >= + if (Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) >= LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = + Eurydice_slice_index(sampled_coefficients, i0, size_t, size_t *) = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; } else { done = false; @@ -3016,27 +3135,58 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( return done; } +/** +A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +*/ +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_57( + Eurydice_slice seeds, Eurydice_slice sampled_coefficients, + Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PortableHash xof_state = + libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_6e( + seeds); + uint8_t randomness[3U][504U] = {{0U}}; + uint8_t randomness_blocksize[3U][168U] = {{0U}}; + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_6e( + &xof_state, + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U])); + bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( + Eurydice_array_to_slice((size_t)3U, randomness, uint8_t[504U]), + sampled_coefficients, out); + while (true) { + if (done) { + break; + } else { + libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_6e( + &xof_state, Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U])); + done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( + Eurydice_array_to_slice((size_t)3U, randomness_blocksize, + uint8_t[168U]), + sampled_coefficients, out); + } + } +} + /** A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_from_i16_array_ea(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_ea(); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_df( + Eurydice_slice a, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_from_i16_array_b8( - Eurydice_slice_subslice3(a, i0 * (size_t)16U, - (i0 + (size_t)1U) * (size_t)16U, - int16_t *)); - result.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_from_i16_array_b8( + Eurydice_slice_subslice3(a, i0 * (size_t)16U, + (i0 + (size_t)1U) * (size_t)16U, int16_t *), + &result->coefficients[i0]); } - return result; } /** @@ -3050,116 +3200,63 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_from_i16_array_d6_ea(Eurydice_slice a) { - return libcrux_ml_kem_polynomial_from_i16_array_ea(a); -} - -/** -This function found in impl {core::ops::function::FnMut<(@Array), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::sampling::sample_from_xof::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.call_mut_e7 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_2b( - void **_, int16_t tupled_args[272U]) { - int16_t s[272U]; - memcpy(s, tupled_args, (size_t)272U * sizeof(int16_t)); - return libcrux_ml_kem_polynomial_from_i16_array_d6_ea( - Eurydice_array_to_subslice3(s, (size_t)0U, (size_t)256U, int16_t *)); -} - -/** -A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -*/ -static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b( - uint8_t (*seeds)[34U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - libcrux_ml_kem_hash_functions_portable_PortableHash_88 xof_state = - libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_4a_e0( - seeds); - uint8_t randomness0[3U][504U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_4a_e0( - &xof_state, randomness0); - bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_89( - randomness0, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[3U][168U]; - libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_4a_e0( - &xof_state, randomness); - done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_890( - randomness, sampled_coefficients, out); - } - } - /* Passing arrays by value in Rust generates a copy in C */ - int16_t copy_of_out[3U][272U]; - memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret0[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_call_mut_e7_2b( - &lvalue, copy_of_out[i]); - } - memcpy( - ret, ret0, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_slice a, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *out) { + libcrux_ml_kem_polynomial_from_i16_array_df(a, out); } /** A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_2b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*A_transpose)[3U], - uint8_t *seed, bool transpose) { +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_57( + Eurydice_slice A_transpose, uint8_t *seed, bool transpose) { for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)34U, seed, seeds[i], uint8_t, void *); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_2b(seeds, sampled); + size_t sampled_coefficients[3U] = {0U}; + int16_t out[3U][272U] = {{0U}}; + libcrux_ml_kem_sampling_sample_from_xof_57( + Eurydice_array_to_slice((size_t)3U, seeds, uint8_t[34U]), + Eurydice_array_to_slice((size_t)3U, sampled_coefficients, size_t), + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U])); for (size_t i = (size_t)0U; i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); + Eurydice_array_to_slice((size_t)3U, out, int16_t[272U]), + int16_t[272U]); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d sample = sampled[j]; + int16_t sample[272U]; + memcpy(sample, out[j], (size_t)272U * sizeof(int16_t)); if (transpose) { - A_transpose[j][i1] = sample; + Eurydice_slice uu____1 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + uu____1, &Eurydice_slice_index( + A_transpose, j * (size_t)3U + i1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } else { - A_transpose[i1][j] = sample; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_to( + (size_t)272U, sample, (size_t)256U, int16_t, size_t, int16_t[]); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + uu____2, &Eurydice_slice_index( + A_transpose, i1 * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } } } @@ -3168,119 +3265,30 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_2b( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f( +libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_e2( Eurydice_slice public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_slice_subslice_to( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - uu____0, unpacked_public_key->t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] = - unpacked_public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed, ret); - libcrux_ml_kem_matrix_sample_matrix_A_2b(uu____1, ret, false); -} - -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.build_unpacked_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -- T_AS_NTT_ENCODED_SIZE= 1152 -*/ -static KRML_MUSTINLINE - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_3f( - Eurydice_slice public_key) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 - unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f(public_key, - &unpacked_public_key); - return unpacked_public_key; -} - -/** -A monomorphic instance of K. -with types libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector[3size_t], -libcrux_ml_kem_polynomial_PolynomialRingElement -libcrux_ml_kem_vector_portable_vector_type_PortableVector - -*/ -typedef struct tuple_ed_s { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d fst[3U]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d snd; -} tuple_ed; - -/** -This function found in impl {core::ops::function::FnMut<(usize), -libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_f1 -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics -- K= 3 -- C1_LEN= 960 -- U_COMPRESSION_FACTOR= 10 -- BLOCK_LEN= 320 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 -- ETA2= 2 -- ETA2_RANDOMNESS_SIZE= 128 -*/ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_85(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); -} - -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void libcrux_ml_kem_hash_functions_portable_PRFxN_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - uint8_t out[3U][128U] = {{0U}}; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t)); - } - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); -} - -/** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} -*/ -/** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN_4a -with const generics -- K= 3 -- LEN= 128 -*/ -static inline void libcrux_ml_kem_hash_functions_portable_PRFxN_4a_41( - uint8_t (*input)[33U], uint8_t ret[3U][128U]) { - libcrux_ml_kem_hash_functions_portable_PRFxN_41(input, ret); + libcrux_ml_kem_matrix_sample_matrix_A_57(uu____1, ret, false); } /** @@ -3338,10 +3346,9 @@ libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_ea( - Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; +static KRML_MUSTINLINE void +libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_df( + Eurydice_slice randomness, Eurydice_slice sampled_i16s) { for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; @@ -3371,11 +3378,10 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_ea( int16_t outcome_2 = (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); size_t offset = (size_t)(outcome_set0 >> 2U); - sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; + Eurydice_slice_index(sampled_i16s, (size_t)8U * chunk_number + offset, + int16_t, int16_t *) = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_d6_ea( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3384,11 +3390,11 @@ libcrux_ml_kem.sampling.sample_from_binomial_distribution with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - ETA= 2 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d +static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_slice randomness) { - return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_ea( - randomness); + Eurydice_slice randomness, int16_t *output) { + libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_df( + randomness, Eurydice_array_to_slice((size_t)256U, output, int16_t)); } /** @@ -3397,19 +3403,18 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; i < step; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector t = - libcrux_ml_kem_vector_portable_multiply_by_constant_b8( - re->coefficients[j + step], (int16_t)-1600); - re->coefficients[j + step] = - libcrux_ml_kem_vector_portable_sub_b8(re->coefficients[j], &t); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = - libcrux_ml_kem_vector_portable_add_b8(re->coefficients[j], &t); - re->coefficients[j] = uu____1; + scratch[0U] = re->coefficients[j + step]; + libcrux_ml_kem_vector_portable_multiply_by_constant_b8(scratch, + (int16_t)-1600); + re->coefficients[j + step] = re->coefficients[j]; + libcrux_ml_kem_vector_portable_add_b8(&re->coefficients[j], scratch); + libcrux_ml_kem_vector_portable_sub_b8(&re->coefficients[j + step], scratch); } } @@ -3420,23 +3425,25 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { - libcrux_ml_kem_ntt_ntt_at_layer_7_ea(re); +libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_ntt_ntt_at_layer_7_df(re, scratch); size_t zeta_i = (size_t)1U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)6U, scratch, (size_t)11207U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df(&zeta_i, re, (size_t)5U, scratch, (size_t)11207U + (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_ea( - &zeta_i, re, (size_t)4U, (size_t)11207U + (size_t)2U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_ea( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_df( + &zeta_i, re, (size_t)4U, scratch, + (size_t)11207U + (size_t)2U * (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_3_df( &zeta_i, re, (size_t)11207U + (size_t)3U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_ea( + libcrux_ml_kem_ntt_ntt_at_layer_2_df( &zeta_i, re, (size_t)11207U + (size_t)4U * (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_ea( + libcrux_ml_kem_ntt_ntt_at_layer_1_df( &zeta_i, re, (size_t)11207U + (size_t)5U * (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_ea(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_df(re); } /** @@ -3446,31 +3453,48 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_ea( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - ETA= 2 - ETA_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE= 384 */ static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re_as_ntt, - uint8_t *prf_input, uint8_t domain_separator) { +libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + Eurydice_slice re_as_ntt, uint8_t *prf_input, uint8_t domain_separator, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_portable_PRFxN_4a_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + Eurydice_array_to_slice((size_t)3U, prf_inputs, uint8_t[33U]), + Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - re_as_ntt[i0] = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_ea(&re_as_ntt[i0]); + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + int16_t sample_buffer[256U] = {0U}; + libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_df( + &Eurydice_slice_index( + re_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } return domain_separator; } @@ -3478,17 +3502,17 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, -TraitClause@3]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_77 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -3496,10 +3520,12 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_85(void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_fc(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -3508,31 +3534,44 @@ libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_85(void **_, size_t tupled_args) { /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - ETA2_RANDOMNESS_SIZE= 128 - ETA2= 2 +- PRF_OUTPUT_SIZE= 384 */ static KRML_MUSTINLINE uint8_t -libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b( - uint8_t *prf_input, uint8_t domain_separator, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1) { +libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_40(uint8_t *prf_input, + uint8_t domain_separator, + Eurydice_slice error_1, + int16_t *sample_buffer) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)33U, prf_input, prf_inputs[i], uint8_t, void *); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } domain_separator = libcrux_ml_kem_utils_prf_input_inc_e0(prf_inputs, domain_separator); - uint8_t prf_outputs[3U][128U]; - libcrux_ml_kem_hash_functions_portable_PRFxN_4a_41(prf_inputs, prf_outputs); + uint8_t prf_outputs[384U] = {0U}; + Eurydice_slice uu____1 = core_array___Array_T__N___as_slice( + (size_t)3U, prf_inputs, uint8_t[33U], Eurydice_slice); + libcrux_ml_kem_hash_functions_portable_PRFxN_6e( + uu____1, Eurydice_array_to_slice((size_t)384U, prf_outputs, uint8_t), + (size_t)128U); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - error_1[i0] = uu____0; + Eurydice_slice randomness = Eurydice_array_to_subslice3( + prf_outputs, i0 * (size_t)128U, (i0 + (size_t)1U) * (size_t)128U, + uint8_t *); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0(randomness, + sample_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sample_buffer, int16_t), + &Eurydice_slice_index( + error_1, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } return domain_separator; } @@ -3543,44 +3582,65 @@ with const generics - LEN= 128 */ static inline void libcrux_ml_kem_hash_functions_portable_PRF_a6( - Eurydice_slice input, uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); + Eurydice_slice input, Eurydice_slice out) { + libcrux_sha3_portable_shake256(out, input); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {libcrux_ml_kem::hash_functions::Hash for +libcrux_ml_kem::hash_functions::portable::PortableHash} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_4a +A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_6e with const generics -- K= 3 - LEN= 128 */ -static inline void libcrux_ml_kem_hash_functions_portable_PRF_4a_410( - Eurydice_slice input, uint8_t ret[128U]) { - libcrux_ml_kem_hash_functions_portable_PRF_a6(input, ret); +static inline void libcrux_ml_kem_hash_functions_portable_PRF_6e_a6( + Eurydice_slice input, Eurydice_slice out) { + libcrux_ml_kem_hash_functions_portable_PRF_a6(input, out); } /** This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, -TraitClause@1]> for libcrux_ml_kem::matrix::compute_vector_u::closure[TraitClause@0, TraitClause@1]} +TraitClause@2]> for libcrux_ml_kem::ind_cpa::encrypt_c1::closure#1[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3]} */ /** -A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.call_mut_a8 +A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1.call_mut_88 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +- K_SQUARED= 9 +- C1_LEN= 960 +- U_COMPRESSION_FACTOR= 10 +- BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_fc(void **_, size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); +} + +/** +A monomorphic instance of libcrux_ml_kem.matrix.entry with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_1b(void **_, - size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d * +libcrux_ml_kem_matrix_entry_1b(Eurydice_slice matrix, size_t i, size_t j) { + return &Eurydice_slice_index( + matrix, i * (size_t)3U + j, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *); } /** @@ -3589,22 +3649,17 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - myself->coefficients[j], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, - &error->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &myself->coefficients[j], (int16_t)1441); + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[j]); } } @@ -3619,10 +3674,10 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { - libcrux_ml_kem_polynomial_add_error_reduce_ea(self, error); + libcrux_ml_kem_polynomial_add_error_reduce_df(self, error); } /** @@ -3635,46 +3690,40 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - result[i] = - libcrux_ml_kem_matrix_compute_vector_u_call_mut_a8_1b(&lvalue, i); - } - for (size_t i0 = (size_t)0U; - i0 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]); - i0++) { + Eurydice_slice a_as_ntt, Eurydice_slice r_as_ntt, Eurydice_slice error_1, + Eurydice_slice result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = a_as_ntt[i1]; - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i++) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result[i1], - &product); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = + libcrux_ml_kem_matrix_entry_1b(a_as_ntt, i1, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df( + uu____0, + &Eurydice_slice_index( + r_as_ntt, j, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_d6_ea(&result[i1], &error_1[i1]); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + libcrux_ml_kem_polynomial_add_error_reduce_d6_df( + &Eurydice_slice_index( + result, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + &Eurydice_slice_index( + error_1, i1, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *)); } - memcpy( - ret, result, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -3682,19 +3731,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)10, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -3706,10 +3753,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 10 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_b8_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_ef(a); +static inline void libcrux_ml_kem_vector_portable_compress_b8_ef( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_ef(a); } /** @@ -3720,23 +3766,20 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_10_ff( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_compress_b8_ef( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re->coefficients[i0])); - uint8_t bytes[20U]; - libcrux_ml_kem_vector_portable_serialize_10_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)20U * i0, - (size_t)20U * i0 + (size_t)20U, uint8_t *), - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_compress_b8_ef(scratch); + libcrux_ml_kem_vector_portable_serialize_10_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)20U * i0, + (size_t)20U * i0 + (size_t)20U, uint8_t *)); } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -3748,10 +3791,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10_ff(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_10_ff(re, serialized, + scratch); } /** @@ -3768,7 +3812,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43( libcrux_ml_kem_polynomial_PolynomialRingElement_1d input[3U], - Eurydice_slice out) { + Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -3778,23 +3823,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *); - uint8_t ret[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe(&re, - ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe( + &re, + Eurydice_slice_subslice3( + out, i0 * ((size_t)960U / (size_t)3U), + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t *), + scratch); } } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_c1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - C1_LEN= 960 - U_COMPRESSION_FACTOR= 10 - BLOCK_LEN= 320 @@ -3802,55 +3845,80 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_ed libcrux_ml_kem_ind_cpa_encrypt_c1_85( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c1_fc( Eurydice_slice randomness, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix)[3U], - Eurydice_slice ciphertext) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix, + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(randomness, prf_input); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - r_as_ntt[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_f1_85(&lvalue, i); - } uint8_t domain_separator0 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b(r_as_ntt, prf_input, - 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + r_as_ntt, prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_dd_85(&lvalue, i); + error_1[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_77_fc(&lvalue, i); } - uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b( - prf_input, domain_separator0, error_1); + int16_t sampling_buffer[256U] = {0U}; + uint8_t domain_separator = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_40( + prf_input, domain_separator0, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + sampling_buffer); prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - libcrux_ml_kem_hash_functions_portable_PRF_4a_410( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + uint8_t prf_output[128U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRF_6e_a6( + Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); + libcrux_ml_kem_sampling_sample_from_binomial_distribution_a0( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t), + sampling_buffer); + libcrux_ml_kem_polynomial_from_i16_array_d6_df( + Eurydice_array_to_slice((size_t)256U, sampling_buffer, int16_t), error_2); libcrux_ml_kem_polynomial_PolynomialRingElement_1d u[3U]; - libcrux_ml_kem_matrix_compute_vector_u_1b(matrix, r_as_ntt, error_1, u); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; - memcpy( - uu____0, u, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43(uu____0, ciphertext); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + u[i] = libcrux_ml_kem_ind_cpa_encrypt_c1_call_mut_88_fc(&lvalue, i); + } + libcrux_ml_kem_matrix_compute_vector_u_1b( + Eurydice_array_to_slice( + (size_t)9U, matrix, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + r_as_ntt, + Eurydice_array_to_slice( + (size_t)3U, error_1, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + Eurydice_array_to_slice( + (size_t)3U, u, libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + scratch); /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_r_as_ntt[3U]; - memcpy( - copy_of_r_as_ntt, r_as_ntt, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - tuple_ed lit; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d copy_of_u[3U]; memcpy( - lit.fst, copy_of_r_as_ntt, + copy_of_u, u, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - lit.snd = error_2; - return lit; + libcrux_ml_kem_ind_cpa_compress_then_serialize_u_43(copy_of_u, ciphertext, + scratch->coefficients); +} + +/** +A monomorphic instance of libcrux_ml_kem.vector.traits.decompress_1 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_kem_vector_traits_decompress_1_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vec) { + libcrux_ml_kem_vector_portable_negate_b8(vec); + libcrux_ml_kem_vector_portable_bitwise_and_with_constant_b8(vec, + (int16_t)1665); } /** @@ -3859,24 +3927,18 @@ libcrux_ml_kem.serialize.deserialize_then_decompress_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_then_decompress_message_ea( - uint8_t *serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); +static KRML_MUSTINLINE void +libcrux_ml_kem_serialize_deserialize_then_decompress_message_df( + uint8_t *serialized, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_compressed = - libcrux_ml_kem_vector_portable_deserialize_1_b8( - Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, - uint8_t *)); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_vector_portable_decompress_1_b8(coefficient_compressed); - re.coefficients[i0] = uu____0; + libcrux_ml_kem_vector_portable_deserialize_1_b8( + Eurydice_array_to_subslice3(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t *), + &re->coefficients[i0]); + libcrux_ml_kem_vector_traits_decompress_1_df(&re->coefficients[i0]); } - return re; } /** @@ -3885,28 +3947,22 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_add_message_error_reduce_ea( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( - result.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum1 = - libcrux_ml_kem_vector_portable_add_b8(myself->coefficients[i0], - &message->coefficients[i0]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum2 = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, &sum1); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum2); - result.coefficients[i0] = red; + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( + &result->coefficients[i0], (int16_t)1441); + scratch[0U] = myself->coefficients[i0]; + libcrux_ml_kem_vector_portable_add_b8(scratch, &message->coefficients[i0]); + libcrux_ml_kem_vector_portable_add_b8(&result->coefficients[i0], scratch); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&result->coefficients[i0]); } - return result; } /** @@ -3920,13 +3976,14 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_add_message_error_reduce_d6_ea( +static KRML_MUSTINLINE void +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result) { - return libcrux_ml_kem_polynomial_add_message_error_reduce_ea(self, message, - result); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_polynomial_add_message_error_reduce_df(self, message, result, + scratch); } /** @@ -3938,24 +3995,26 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_matrix_compute_ring_element_v_1b( +static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_ring_element_v_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d result = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *message, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *result, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(&t_as_ntt[i0], - &r_as_ntt[i0]); - libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&result, &product); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df( + &t_as_ntt[i0], + &Eurydice_slice_index( + r_as_ntt, i0, libcrux_ml_kem_polynomial_PolynomialRingElement_1d, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *), + scratch); + libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(result, scratch); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(&result); - return libcrux_ml_kem_polynomial_add_message_error_reduce_d6_ea( - error_2, message, result); + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_1b(result, scratch); + libcrux_ml_kem_polynomial_add_message_error_reduce_d6_df( + error_2, message, result, scratch->coefficients); } /** @@ -3963,19 +4022,17 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_compress_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { +static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_compress_compress_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_secrets_int_as_i16_f5( libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( (uint8_t)(int32_t)4, - libcrux_secrets_int_as_u16_f5(a.elements[i0]))); - a.elements[i0] = uu____0; + libcrux_secrets_int_as_u16_f5(a->elements[i0]))); + a->elements[i0] = uu____0; } - return a; } /** @@ -3987,10 +4044,9 @@ A monomorphic instance of libcrux_ml_kem.vector.portable.compress_b8 with const generics - COEFFICIENT_BITS= 4 */ -static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_vector_portable_compress_b8_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { - return libcrux_ml_kem_vector_portable_compress_compress_d1(a); +static inline void libcrux_ml_kem_vector_portable_compress_b8_d1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *a) { + libcrux_ml_kem_vector_portable_compress_compress_d1(a); } /** @@ -4000,22 +4056,20 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_4_ea( +libcrux_ml_kem_serialize_compress_then_serialize_4_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, - Eurydice_slice serialized) { + Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_portable_compress_b8_d1( - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re.coefficients[i0])); - uint8_t bytes[8U]; - libcrux_ml_kem_vector_portable_serialize_4_b8(coefficient, bytes); - Eurydice_slice_copy( + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re.coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_compress_b8_d1(scratch); + libcrux_ml_kem_vector_portable_serialize_4_b8( + scratch, Eurydice_slice_subslice3(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t *), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); + (size_t)8U * i0 + (size_t)8U, uint8_t *)); } } @@ -4029,8 +4083,9 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_6c( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out) { - libcrux_ml_kem_serialize_compress_then_serialize_4_ea(re, out); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d re, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_serialize_compress_then_serialize_4_df(re, out, scratch); } /** @@ -4043,16 +4098,20 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c2_6c( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *r_as_ntt, + Eurydice_slice r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, - uint8_t *message, Eurydice_slice ciphertext) { + uint8_t *message, Eurydice_slice ciphertext, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_ea(message); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_serialize_deserialize_then_decompress_message_df( + message, &message_as_ring_element); libcrux_ml_kem_polynomial_PolynomialRingElement_1d v = - libcrux_ml_kem_matrix_compute_ring_element_v_1b( - t_as_ntt, r_as_ntt, error_2, &message_as_ring_element); + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_matrix_compute_ring_element_v_1b( + t_as_ntt, r_as_ntt, error_2, &message_as_ring_element, &v, scratch); libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_6c( - v, ciphertext); + v, ciphertext, scratch->coefficients); } /** @@ -4099,9 +4158,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_c2_6c( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4113,38 +4172,32 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *public_key, - uint8_t *message, Eurydice_slice randomness, uint8_t ret[1088U]) { - uint8_t ciphertext[1088U] = {0U}; - tuple_ed uu____0 = libcrux_ml_kem_ind_cpa_encrypt_c1_85( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_28( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *public_key, + uint8_t *message, Eurydice_slice randomness, Eurydice_slice ciphertext, + Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + libcrux_ml_kem_ind_cpa_encrypt_c1_fc( randomness, public_key->A, - Eurydice_array_to_subslice3(ciphertext, (size_t)0U, (size_t)960U, - uint8_t *)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; - memcpy( - r_as_ntt, uu____0.fst, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = - public_key->t_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____2 = r_as_ntt; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____3 = &error_2; - uint8_t *uu____4 = message; + Eurydice_slice_subslice3(ciphertext, (size_t)0U, (size_t)960U, uint8_t *), + r_as_ntt, error_2, scratch); libcrux_ml_kem_ind_cpa_encrypt_c2_6c( - uu____1, uu____2, uu____3, uu____4, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, uint8_t[])); - memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); + public_key->t_as_ntt, r_as_ntt, error_2, message, + Eurydice_slice_subslice_from(ciphertext, (size_t)960U, uint8_t, size_t, + uint8_t[]), + scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - T_AS_NTT_ENCODED_SIZE= 1152 - C1_LEN= 960 @@ -4156,17 +4209,21 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_2a( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_28( Eurydice_slice public_key, uint8_t *message, Eurydice_slice randomness, - uint8_t ret[1088U]) { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 - unpacked_public_key = - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_3f(public_key); - uint8_t ret0[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a(&unpacked_public_key, message, - randomness, ret0); - memcpy(ret, ret0, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice ciphertext, Eurydice_slice r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_2, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be + unpacked_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_50_89(); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_e2(public_key, + &unpacked_public_key); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_28(&unpacked_public_key, message, + randomness, ciphertext, r_as_ntt, + error_2, scratch); } /** @@ -4175,17 +4232,14 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.kdf_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_d6( - Eurydice_slice shared_secret, uint8_t *_, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - shared_secret, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_1f( + Eurydice_slice shared_secret, uint8_t *_, Eurydice_slice out) { + Eurydice_slice_copy(out, shared_secret, uint8_t); } /** @@ -4194,9 +4248,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_39_d6( /** A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4211,9 +4266,11 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_d7( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { Eurydice_slice_uint8_t_x4 uu____0 = @@ -4223,9 +4280,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( Eurydice_slice ind_cpa_public_key = uu____0.snd; Eurydice_slice ind_cpa_public_key_hash = uu____0.thd; Eurydice_slice implicit_rejection_value = uu____0.f3; - uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_42(ind_cpa_secret_key, ciphertext->value, - decrypted); + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_decrypt_42( + ind_cpa_secret_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -4234,9 +4294,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, size_t, uint8_t[]), ind_cpa_public_key_hash, uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -4250,32 +4311,47 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret0[32U]; - libcrux_ml_kem_hash_functions_portable_PRF_4a_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRF_6e_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret0); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_2a(ind_cpa_public_key, decrypted, - pseudorandomness, expected_ciphertext); - uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_variant_kdf_39_d6( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_decapsulate_call_mut_5f_d7(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_28( + ind_cpa_public_key, decrypted, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t implicit_rejection_shared_secret_kdf[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_1f( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - libcrux_ml_kem_variant_kdf_39_d6( - shared_secret0, libcrux_ml_kem_types_as_slice_a9_80(ciphertext), - shared_secret); - uint8_t ret0[32U]; + ciphertext->value, + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, + uint8_t)); + uint8_t shared_secret_kdf[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_1f( + shared_secret0, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t)); + uint8_t shared_secret[32U] = {0U}; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), - Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t), - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + Eurydice_array_to_slice((size_t)32U, shared_secret_kdf, uint8_t), + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret_kdf, uint8_t), - ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t)); + memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); } /** @@ -4285,6 +4361,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_decapsulate_62( A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -4299,13 +4376,15 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static inline void -libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_35( +libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_54( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_62(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_d7(private_key, ciphertext, ret); } /** @@ -4318,7 +4397,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_35( static inline void libcrux_ml_kem_mlkem768_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_35( + libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_54( private_key, ciphertext, ret); } @@ -4328,38 +4407,60 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_9c( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t), - randomness, uint8_t); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_39_f0( + Eurydice_slice randomness, Eurydice_slice out) { + Eurydice_slice_copy(out, randomness, uint8_t); } /** -This function found in impl {libcrux_ml_kem::hash_functions::Hash for -libcrux_ml_kem::hash_functions::portable::PortableHash} +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@3]> for libcrux_ml_kem::ind_cca::encapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} */ /** -A monomorphic instance of libcrux_ml_kem.hash_functions.portable.H_4a -with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate.call_mut_c0 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash, +libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static inline void libcrux_ml_kem_hash_functions_portable_H_4a_e0( - Eurydice_slice input, uint8_t ret[32U]) { - libcrux_ml_kem_hash_functions_portable_H(input, ret); +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_d9(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4372,49 +4473,69 @@ libcrux_ml_kem_variant_MlKem with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_d9( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - uint8_t randomness0[32U]; - libcrux_ml_kem_variant_entropy_preprocess_39_9c( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); + uint8_t processed_randomness[32U] = {0U}; + libcrux_ml_kem_variant_entropy_preprocess_39_f0( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t)); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, uint8_t[]); - uint8_t ret0[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( - Eurydice_array_to_slice((size_t)1184U, - libcrux_ml_kem_types_as_slice_e6_d0(public_key), - uint8_t), - ret0); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_array_to_slice((size_t)32U, processed_randomness, uint8_t), + to_hash); + Eurydice_slice uu____0 = Eurydice_array_to_slice( + (size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + uu____0, Eurydice_array_to_subslice_from( + (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t, size_t, uint8_t[])); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_2a( + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext = + libcrux_ml_kem_types_default_73_80(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = libcrux_ml_kem_ind_cca_encapsulate_call_mut_c0_d9(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_28( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - randomness0, pseudorandomness, ciphertext); + processed_randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext.value, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); + uint8_t shared_secret_array[32U] = {0U}; + libcrux_ml_kem_variant_kdf_39_1f( + shared_secret, ciphertext.value, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____2 = ciphertext; /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_ciphertext[1088U]; - memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_c2 lit; - lit.fst = libcrux_ml_kem_types_from_e0_80(copy_of_ciphertext); - uint8_t ret[32U]; - libcrux_ml_kem_variant_kdf_39_d6(shared_secret, ciphertext, ret); - memcpy(lit.snd, ret, (size_t)32U * sizeof(uint8_t)); + lit.fst = uu____2; + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -4422,6 +4543,7 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -4434,11 +4556,13 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ static inline tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_cd( +libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_35( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_encapsulate_ca(public_key, randomness); + return libcrux_ml_kem_ind_cca_encapsulate_d9(public_key, randomness); } /** @@ -4451,7 +4575,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_cd( static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_cd( + return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_35( public_key, randomness); } @@ -4471,7 +4595,7 @@ libcrux_ml_kem_ind_cpa_unpacked_default_70_1b(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 lit; libcrux_ml_kem_polynomial_PolynomialRingElement_1d repeat_expression[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_ea(); + repeat_expression[i] = libcrux_ml_kem_polynomial_ZERO_d6_df(); } memcpy( lit.secret_as_ntt, repeat_expression, @@ -4485,12 +4609,12 @@ libcrux_ml_kem::variant::MlKem} */ /** A monomorphic instance of libcrux_ml_kem.variant.cpa_keygen_seed_39 -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_9c( - Eurydice_slice key_generation_seed, uint8_t ret[64U]) { +static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_f0( + Eurydice_slice key_generation_seed, Eurydice_slice out) { uint8_t seed[33U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_subslice3( @@ -4499,10 +4623,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_39_9c( key_generation_seed, uint8_t); seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] = (uint8_t)(size_t)3U; - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)33U, seed, uint8_t), out); } /** @@ -4510,23 +4632,26 @@ This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@3]> for libcrux_ml_kem::ind_cpa::generate_keypair_unpacked::closure[TraitClause@0, TraitClause@1, -TraitClause@2, TraitClause@3, TraitClause@4, TraitClause@5]} +Scheme, K, K_SQUARED, ETA1, ETA1_RANDOMNESS_SIZE, +PRF_OUTPUT_SIZE1>[TraitClause@0, TraitClause@1, TraitClause@2, TraitClause@3, +TraitClause@4, TraitClause@5]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_73 with types +libcrux_ml_kem.ind_cpa.generate_keypair_unpacked.call_mut_ae with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_1c( +libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_b8( void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -4535,10 +4660,9 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -libcrux_ml_kem_polynomial_to_standard_domain_ea( - libcrux_ml_kem_vector_portable_vector_type_PortableVector vector) { - return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_to_standard_domain_df( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *vector) { + libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_b8( vector, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -4550,22 +4674,16 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_ea( +libcrux_ml_kem_polynomial_add_standard_error_reduce_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *myself, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector - coefficient_normal_form = - libcrux_ml_kem_polynomial_to_standard_domain_ea( - myself->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector sum = - libcrux_ml_kem_vector_portable_add_b8(coefficient_normal_form, - &error->coefficients[j]); - libcrux_ml_kem_vector_portable_vector_type_PortableVector red = - libcrux_ml_kem_vector_portable_barrett_reduce_b8(sum); - myself->coefficients[j] = red; + libcrux_ml_kem_polynomial_to_standard_domain_df(&myself->coefficients[j]); + libcrux_ml_kem_vector_portable_add_b8(&myself->coefficients[j], + &error->coefficients[j]); + libcrux_ml_kem_vector_portable_barrett_reduce_b8(&myself->coefficients[j]); } } @@ -4581,10 +4699,10 @@ with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_ea( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error) { - libcrux_ml_kem_polynomial_add_standard_error_reduce_ea(self, error); + libcrux_ml_kem_polynomial_add_standard_error_reduce_df(self, error); } /** @@ -4598,38 +4716,25 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d (*matrix_A)[3U], + Eurydice_slice matrix_A, libcrux_ml_kem_polynomial_PolynomialRingElement_1d *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt) { - for (size_t i = (size_t)0U; - i < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U]); - i++) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *row = matrix_A[i0]; libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_ZERO_d6_ea(); + libcrux_ml_kem_polynomial_ZERO_d6_df(); t_as_ntt[i0] = uu____0; - for (size_t i1 = (size_t)0U; - i1 < Eurydice_slice_len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d), - libcrux_ml_kem_polynomial_PolynomialRingElement_1d); - i1++) { + for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { size_t j = i1; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *matrix_element = - &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_ea(matrix_element, - &s_as_ntt[j]); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = + libcrux_ml_kem_matrix_entry_1b(matrix_A, i0, j); + libcrux_ml_kem_polynomial_ntt_multiply_d6_df(uu____1, &s_as_ntt[j], + scratch); libcrux_ml_kem_polynomial_add_to_ring_element_d6_1b(&t_as_ntt[i0], - &product); + scratch); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_ea( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_df( &t_as_ntt[i0], &error_as_ntt[i0]); } } @@ -4678,47 +4783,62 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_b8( Eurydice_slice key_generation_seed, libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *private_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *public_key) { - uint8_t hashed[64U]; - libcrux_ml_kem_variant_cpa_keygen_seed_39_9c(key_generation_seed, hashed); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_variant_cpa_keygen_seed_39_f0( + key_generation_seed, + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____1)[3U] = - public_key->A; + Eurydice_slice uu____1 = Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6(seed_for_A, ret); - libcrux_ml_kem_matrix_sample_matrix_A_2b(uu____1, ret, true); + libcrux_ml_kem_matrix_sample_matrix_A_57(uu____1, ret, true); uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_c8(seed_for_secret_and_error, prf_input); uint8_t domain_separator = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( - private_key->secret_as_ntt, prf_input, 0U); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + Eurydice_array_to_slice( + (size_t)3U, private_key->secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, 0U, scratch->coefficients); libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; error_as_ntt[i] = - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_73_1c(&lvalue, + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_call_mut_ae_b8(&lvalue, i); } - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b(error_as_ntt, prf_input, - domain_separator); + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_40( + Eurydice_array_to_slice( + (size_t)3U, error_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + prf_input, domain_separator, scratch->coefficients); libcrux_ml_kem_matrix_compute_As_plus_e_1b( - public_key->t_as_ntt, public_key->A, private_key->secret_as_ntt, - error_as_ntt); + public_key->t_as_ntt, + Eurydice_array_to_slice( + (size_t)9U, public_key->A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + private_key->secret_as_ntt, error_as_ntt, scratch); uint8_t uu____2[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U], @@ -4734,23 +4854,20 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_ea( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[384U]) { - uint8_t serialized[384U] = {0U}; +libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_df( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch, + Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_serialize_to_unsigned_field_modulus_ea( - re->coefficients[i0]); - uint8_t bytes[24U]; - libcrux_ml_kem_vector_portable_serialize_12_b8(coefficient, bytes); - Eurydice_slice_copy( - Eurydice_array_to_subslice3(serialized, (size_t)24U * i0, - (size_t)24U * i0 + (size_t)24U, uint8_t *), - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); + libcrux_ml_kem_serialize_to_unsigned_field_modulus_df(&re->coefficients[i0], + scratch); + libcrux_ml_kem_vector_portable_serialize_12_b8( + scratch, + Eurydice_slice_subslice3(serialized, (size_t)24U * i0, + (size_t)24U * i0 + (size_t)24U, uint8_t *)); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } /** @@ -4763,8 +4880,8 @@ with const generics - K= 3 */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, - Eurydice_slice out) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *key, Eurydice_slice out, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice( @@ -4774,14 +4891,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_vector_1b( i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d re = key[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice3( - out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t *); - uint8_t ret[384U]; - libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_ea(&re, ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)384U, ret, uint8_t), uint8_t); + libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_df( + &re, scratch, + Eurydice_slice_subslice3( + out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, + uint8_t *)); } } @@ -4797,40 +4912,23 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t *serialized) { + Eurydice_slice seed_for_a, Eurydice_slice serialized, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { libcrux_ml_kem_ind_cpa_serialize_vector_1b( t_as_ntt, - Eurydice_array_to_subslice3( + Eurydice_slice_subslice3( serialized, (size_t)0U, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t *)); + uint8_t *), + scratch); Eurydice_slice_copy( - Eurydice_array_to_subslice_from( - (size_t)1184U, serialized, + Eurydice_slice_subslice_from( + serialized, libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), uint8_t, size_t, uint8_t[]), seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ -/** -A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key -with types libcrux_ml_kem_vector_portable_vector_type_PortableVector -with const generics -- K= 3 -- PUBLIC_KEY_SIZE= 1184 -*/ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_89( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *t_as_ntt, - Eurydice_slice seed_for_a, uint8_t ret[1184U]) { - uint8_t public_key_serialized[1184U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89(t_as_ntt, seed_for_a, - public_key_serialized); - memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); -} - /** Serialize the secret key from the unpacked key pair generation. */ @@ -4839,59 +4937,50 @@ A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_unpacked_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static inline libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_6c( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *public_key, - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *private_key) { - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( +static inline void libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_43( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *public_key, + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *private_key, + Eurydice_slice serialized_private_key, Eurydice_slice serialized_public_key, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *scratch) { + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( public_key->t_as_ntt, Eurydice_array_to_slice((size_t)32U, public_key->seed_for_A, uint8_t), - public_key_serialized); - uint8_t secret_key_serialized[1152U] = {0U}; - libcrux_ml_kem_ind_cpa_serialize_vector_1b( - private_key->secret_as_ntt, - Eurydice_array_to_slice((size_t)1152U, secret_key_serialized, uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_secret_key_serialized[1152U]; - memcpy(copy_of_secret_key_serialized, secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_public_key_serialized[1184U]; - memcpy(copy_of_public_key_serialized, public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, copy_of_secret_key_serialized, - (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, copy_of_public_key_serialized, - (size_t)1184U * sizeof(uint8_t)); - return lit; + serialized_public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_vector_1b(private_key->secret_as_ntt, + serialized_private_key, scratch); } /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - PRIVATE_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_generate_keypair_ea(Eurydice_slice key_generation_seed) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_generate_keypair_90( + Eurydice_slice key_generation_seed, + Eurydice_slice serialized_ind_cpa_private_key, + Eurydice_slice serialized_public_key, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *scratch) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 private_key = libcrux_ml_kem_ind_cpa_unpacked_default_70_1b(); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 public_key = - libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( - key_generation_seed, &private_key, &public_key); - return libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_6c(&public_key, - &private_key); + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be public_key = + libcrux_ml_kem_ind_cpa_unpacked_default_50_89(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_b8( + key_generation_seed, &private_key, &public_key, scratch); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_43( + &public_key, &private_key, serialized_ind_cpa_private_key, + serialized_public_key, scratch->coefficients); } /** @@ -4899,13 +4988,13 @@ libcrux_ml_kem_ind_cpa_generate_keypair_ea(Eurydice_slice key_generation_seed) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key_mut -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SERIALIZED_KEY_LEN= 2400 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( +libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_slice private_key, Eurydice_slice public_key, Eurydice_slice implicit_rejection_value, uint8_t *serialized) { size_t pointer = (size_t)0U; @@ -4927,41 +5016,23 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( uint8_t *), public_key, uint8_t); pointer = pointer + Eurydice_slice_len(public_key, uint8_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice3( - serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, - uint8_t *); - uint8_t ret[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0(public_key, ret); - Eurydice_slice_copy( - uu____6, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); + libcrux_ml_kem_hash_functions_portable_H_6e( + public_key, + Eurydice_array_to_subslice3( + serialized, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, + uint8_t *)); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = serialized; + uint8_t *uu____6 = serialized; + size_t uu____7 = pointer; size_t uu____8 = pointer; - size_t uu____9 = pointer; Eurydice_slice_copy( Eurydice_array_to_subslice3( - uu____7, uu____8, - uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uu____6, uu____7, + uu____8 + Eurydice_slice_len(implicit_rejection_value, uint8_t), uint8_t *), implicit_rejection_value, uint8_t); } -/** -A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] -with const generics -- K= 3 -- SERIALIZED_KEY_LEN= 2400 -*/ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { - uint8_t out[2400U] = {0U}; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( - private_key, public_key, implicit_rejection_value, out); - memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); -} - /** Packed API @@ -4973,17 +5044,19 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { +libcrux_ml_kem_ind_cca_generate_keypair_e6(uint8_t *randomness) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( randomness, (size_t)0U, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t *); @@ -4991,14 +5064,16 @@ libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_generate_keypair_ea(ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t public_key[1184U]; - memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - uint8_t secret_key_serialized[2400U]; - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_generate_keypair_90( + ind_cpa_keypair_randomness, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + uint8_t secret_key_serialized[2400U] = {0U}; + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); @@ -5008,12 +5083,12 @@ libcrux_ml_kem_ind_cca_generate_keypair_15(uint8_t *randomness) { (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_d9 private_key = libcrux_ml_kem_types_from_77_28(copy_of_secret_key_serialized); - libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____2 = private_key; + libcrux_ml_kem_types_MlKemPrivateKey_d9 uu____1 = private_key; /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_public_key[1184U]; memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_17_74( - uu____2, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); + uu____1, libcrux_ml_kem_types_from_fd_d0(copy_of_public_key)); } /** @@ -5024,16 +5099,18 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_06( uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_generate_keypair_15(randomness); + return libcrux_ml_kem_ind_cca_generate_keypair_e6(randomness); } /** @@ -5041,7 +5118,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ce( */ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { - return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ce( + return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_06( randomness); } @@ -5052,19 +5129,19 @@ libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key_only -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 */ -static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( +static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_1f( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - uint8_t t[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( + uint8_t t[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_H_6e( Eurydice_array_to_subslice3(private_key->value, (size_t)384U * (size_t)3U, (size_t)768U * (size_t)3U + (size_t)32U, uint8_t *), - t); + Eurydice_array_to_slice((size_t)32U, t, uint8_t)); Eurydice_slice expected = Eurydice_array_to_subslice3( private_key->value, (size_t)768U * (size_t)3U + (size_t)32U, (size_t)768U * (size_t)3U + (size_t)64U, uint8_t *); @@ -5080,16 +5157,16 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_only_d6( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_37( +static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_5d( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_d6(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_1f(private_key); } /** @@ -5107,7 +5184,7 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_31( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { - return libcrux_ml_kem_ind_cca_validate_private_key_37(private_key, + return libcrux_ml_kem_ind_cca_validate_private_key_5d(private_key, ciphertext); } @@ -5136,7 +5213,7 @@ const generics static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_only_41( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key) { - return libcrux_ml_kem_ind_cca_validate_private_key_only_d6(private_key); + return libcrux_ml_kem_ind_cca_validate_private_key_only_1f(private_key); } /** @@ -5154,51 +5231,20 @@ static inline bool libcrux_ml_kem_mlkem768_portable_validate_private_key_only( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::serialize::deserialize_ring_elements_reduced_out::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::validate_public_key::closure[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out.call_mut_0b with -types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const -generics +A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key.call_mut_00 +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 +- PUBLIC_KEY_SIZE= 1184 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_1b( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); -} - -/** - This function deserializes ring elements and reduces the result by the field - modulus. - - This function MUST NOT be used on secret inputs. -*/ -/** -A monomorphic instance of -libcrux_ml_kem.serialize.deserialize_ring_elements_reduced_out with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- K= 3 -*/ -static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - deserialized_pk[i] = - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_call_mut_0b_1b( - &lvalue, i); - } - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - public_key, deserialized_pk); - memcpy( - ret, deserialized_pk, - (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); +libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_89(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -5218,21 +5264,32 @@ with const generics static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_89( uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_1b( - Eurydice_array_to_subslice_to( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____0 = deserialized_pk; - uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( - uu____0, - Eurydice_array_to_subslice_from( - (size_t)1184U, public_key, - libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), - uint8_t, size_t, uint8_t[]), - public_key_serialized); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + deserialized_pk[i] = + libcrux_ml_kem_ind_cca_validate_public_key_call_mut_00_89(&lvalue, i); + } + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( + uu____0, Eurydice_array_to_slice( + (size_t)3U, deserialized_pk, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + uint8_t public_key_serialized[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d *uu____1 = deserialized_pk; + Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( + (size_t)1184U, public_key, + libcrux_ml_kem_constants_ranked_bytes_per_ring_element((size_t)3U), + uint8_t, size_t, uint8_t[]); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( + uu____1, uu____2, + Eurydice_array_to_slice((size_t)1184U, public_key_serialized, uint8_t), + &scratch); return Eurydice_array_eq((size_t)1184U, public_key, public_key_serialized, uint8_t); } @@ -5269,13 +5326,14 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.MlKemPublicKeyUnpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - $3size_t +- $9size_t */ -typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0_s { - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 ind_cpa_public_key; +typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be_s { + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be ind_cpa_public_key; uint8_t public_key_hash[32U]; -} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0; +} libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be; -typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 +typedef libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768PublicKeyUnpacked; /** @@ -5293,15 +5351,58 @@ typedef struct libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0_s { typedef struct libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked_s { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 private_key; - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 public_key; + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be public_key; } libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked; +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::decapsulate::closure[TraitClause@0, +TraitClause@1, TraitClause@2, TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.decapsulate.call_mut_03 with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +- K_SQUARED= 9 +- SECRET_KEY_SIZE= 2400 +- CPA_SECRET_KEY_SIZE= 1152 +- PUBLIC_KEY_SIZE= 1184 +- CIPHERTEXT_SIZE= 1088 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- C1_BLOCK_SIZE= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +- IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 +*/ +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_e7(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); +} + /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5316,14 +5417,19 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_e7( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - uint8_t decrypted[32U]; + uint8_t decrypted[32U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); libcrux_ml_kem_ind_cpa_decrypt_unpacked_42( - &key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); + &key_pair->private_key.ind_cpa_private_key, ciphertext->value, + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), &scratch); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_24( Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); @@ -5335,9 +5441,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, uint8_t), uint8_t); - uint8_t hashed[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + uint8_t hashed[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t)); Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, @@ -5354,25 +5461,40 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_decapsulate_51( uint8_t, size_t, uint8_t[]); Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_d3_80(ciphertext), uint8_t); - uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_hash_functions_portable_PRF_4a_41( + uint8_t implicit_rejection_shared_secret[32U] = {0U}; + libcrux_ml_kem_hash_functions_portable_PRF_6e_9e( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), - implicit_rejection_shared_secret); - uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, + uint8_t)); + uint8_t expected_ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_decapsulate_call_mut_03_e7(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_28( &key_pair->public_key.ind_cpa_public_key, decrypted, pseudorandomness, - expected_ciphertext); + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( libcrux_ml_kem_types_as_ref_d3_80(ciphertext), Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); - uint8_t ret0[32U]; + uint8_t shared_secret_array[32U] = {0U}; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + selector, + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t)); + memcpy(ret, shared_secret_array, (size_t)32U * sizeof(uint8_t)); } /** @@ -5383,6 +5505,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.decapsulate with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 @@ -5397,13 +5520,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_35( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_54( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_51(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_e7(key_pair, ciphertext, ret); } /** @@ -5417,17 +5542,17 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_decapsulate( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_35( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_decapsulate_54( private_key, ciphertext, ret); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encaps_prepare -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] +with types libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 */ -static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_9c( +static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_f0( Eurydice_slice randomness, Eurydice_slice pk_hash, uint8_t ret[64U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_24(randomness, to_hash); @@ -5436,18 +5561,58 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_9c( LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, size_t, uint8_t[]), pk_hash, uint8_t); - uint8_t ret0[64U]; - libcrux_ml_kem_hash_functions_portable_G_4a_e0( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), ret0); - memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t)); + uint8_t output[64U] = {0U}; + libcrux_ml_kem_hash_functions_portable_G_6e( + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), + Eurydice_array_to_slice((size_t)64U, output, uint8_t)); + memcpy(ret, output, (size_t)64U * sizeof(uint8_t)); +} + +/** +This function found in impl {core::ops::function::FnMut<(usize), +libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@2]> for +libcrux_ml_kem::ind_cca::unpacked::encapsulate::closure[TraitClause@0, TraitClause@1, TraitClause@2, +TraitClause@3]} +*/ +/** +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.encapsulate.call_mut_f7 with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector, +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics +- K= 3 +- K_SQUARED= 9 +- CIPHERTEXT_SIZE= 1088 +- PUBLIC_KEY_SIZE= 1184 +- T_AS_NTT_ENCODED_SIZE= 1152 +- C1_SIZE= 960 +- C2_SIZE= 128 +- VECTOR_U_COMPRESSION_FACTOR= 10 +- VECTOR_V_COMPRESSION_FACTOR= 4 +- VECTOR_U_BLOCK_LEN= 320 +- ETA1= 2 +- ETA1_RANDOMNESS_SIZE= 128 +- ETA2= 2 +- ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 +*/ +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d +libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_e2(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const -generics +libcrux_ml_kem_hash_functions_portable_PortableHash with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -5460,12 +5625,14 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ -static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, +static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_e2( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, uint8_t *randomness) { uint8_t hashed[64U]; - libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_9c( + libcrux_ml_kem_ind_cca_unpacked_encaps_prepare_f0( Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t), @@ -5476,10 +5643,25 @@ static KRML_MUSTINLINE tuple_c2 libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c( Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____0.fst; Eurydice_slice pseudorandomness = uu____0.snd; - uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_2a(&public_key->ind_cpa_public_key, - randomness, pseudorandomness, - ciphertext); + uint8_t ciphertext[1088U] = {0U}; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d r_as_ntt[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + /* original Rust expression is not an lvalue in C */ + void *lvalue = (void *)0U; + r_as_ntt[i] = + libcrux_ml_kem_ind_cca_unpacked_encapsulate_call_mut_f7_e2(&lvalue, i); + } + libcrux_ml_kem_polynomial_PolynomialRingElement_1d error_2 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_28( + &public_key->ind_cpa_public_key, randomness, pseudorandomness, + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + Eurydice_array_to_slice( + (size_t)3U, r_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + &error_2, &scratch); uint8_t shared_secret_array[32U] = {0U}; Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), @@ -5507,6 +5689,7 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.encapsulate with const generics - K= 3 +- K_SQUARED= 9 - CIPHERTEXT_SIZE= 1088 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 @@ -5519,12 +5702,14 @@ generics - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 +- PRF_OUTPUT_SIZE2= 384 */ static KRML_MUSTINLINE tuple_c2 -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_cd( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_35( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, uint8_t *randomness) { - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_0c(public_key, randomness); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_e2(public_key, randomness); } /** @@ -5536,9 +5721,9 @@ libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_cd( [`SHARED_SECRET_SIZE`] bytes of `randomness`. */ static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_unpacked_encapsulate( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, uint8_t randomness[32U]) { - return libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_cd( + return libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_encapsulate_35( public_key, randomness); } @@ -5546,43 +5731,20 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_unpacked_encapsulate( This function found in impl {core::ops::function::FnMut<(usize), libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0, TraitClause@1]> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure::closure[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.call_mut_b4 with types +libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_5a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_1b( - void **_, size_t tupled_args) { - return libcrux_ml_kem_polynomial_ZERO_d6_ea(); -} - -/** -This function found in impl {core::ops::function::FnMut<(usize), -@Array[TraitClause@0, -TraitClause@1], K>> for -libcrux_ml_kem::ind_cca::unpacked::transpose_a::closure[TraitClause@0, TraitClause@1]} -*/ -/** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.transpose_a.call_mut_7b with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics -- K= 3 -*/ -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_1b( - void **_, size_t tupled_args, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - /* original Rust expression is not an lvalue in C */ - void *lvalue = (void *)0U; - ret[i] = libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_call_mut_b4_1b( - &lvalue, i); - } +libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_89(void **_, + size_t tupled_args) { + return libcrux_ml_kem_polynomial_ZERO_d6_df(); } /** @@ -5597,7 +5759,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_polynomial_clone_c1_ea( +libcrux_ml_kem_polynomial_clone_c1_df( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[16U]; @@ -5615,33 +5777,31 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b( - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ind_cpa_a[3U][3U], - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U][3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_transpose_a_89( + Eurydice_slice ind_cpa_a, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[9U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; + for (size_t i = (size_t)0U; i < (size_t)9U; i++) { /* original Rust expression is not an lvalue in C */ void *lvalue = (void *)0U; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_7b_1b(&lvalue, i, - A[i]); + A[i] = + libcrux_ml_kem_ind_cca_unpacked_transpose_a_call_mut_5a_89(&lvalue, i); } - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d _a_i[3U][3U]; - memcpy(_a_i, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { - size_t j = i1; + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_clone_c1_ea(&ind_cpa_a[j][i0]); - A[i0][j] = uu____0; + libcrux_ml_kem_polynomial_clone_c1_df( + libcrux_ml_kem_matrix_entry_1b(ind_cpa_a, j, i1)); + A[i1 * (size_t)3U + j] = uu____0; } } - memcpy(ret, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + memcpy( + ret, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } /** @@ -5650,16 +5810,18 @@ static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b( /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_variant_MlKem with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_15( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_e6( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *out) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice3( @@ -5669,39 +5831,42 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_15( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, uint8_t[]); - libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d scratch0 = + libcrux_ml_kem_polynomial_ZERO_d6_df(); + libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_b8( ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key, - &out->public_key.ind_cpa_public_key); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U][3U]; - memcpy(uu____0, out->public_key.ind_cpa_public_key.A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; - libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b(uu____0, A); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____1[3U][3U]; - memcpy(uu____1, A, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - memcpy(out->public_key.ind_cpa_public_key.A, uu____1, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); - uint8_t pk_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( + &out->public_key.ind_cpa_public_key, &scratch0); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[9U]; + libcrux_ml_kem_ind_cca_unpacked_transpose_a_89( + Eurydice_array_to_slice( + (size_t)9U, out->public_key.ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d), + A); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[9U]; + memcpy( + uu____0, A, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + memcpy( + out->public_key.ind_cpa_public_key.A, uu____0, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + uint8_t pk_serialized[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( out->public_key.ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice( (size_t)32U, out->public_key.ind_cpa_public_key.seed_for_A, uint8_t), - pk_serialized); - uint8_t uu____2[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( - Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), uu____2); - memcpy(out->public_key.public_key_hash, uu____2, - (size_t)32U * sizeof(uint8_t)); - uint8_t uu____3[32U]; + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), &scratch); + libcrux_ml_kem_hash_functions_portable_H_6e( + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), + Eurydice_array_to_slice((size_t)32U, out->public_key.public_key_hash, + uint8_t)); + uint8_t uu____1[32U]; Result_fb dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value, Eurydice_slice, uint8_t[32U], TryFromSliceError); - unwrap_26_b3(dst, uu____3); - memcpy(out->private_key.implicit_rejection_value, uu____3, + unwrap_26_b3(dst, uu____1); + memcpy(out->private_key.implicit_rejection_value, uu____1, (size_t)32U * sizeof(uint8_t)); } @@ -5713,20 +5878,22 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.generate_keypair with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 +- PRF_OUTPUT_SIZE1= 384 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_ce( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_06( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_15(copy_of_randomness, out); + libcrux_ml_kem_ind_cca_unpacked_generate_keypair_e6(copy_of_randomness, out); } /** @@ -5740,45 +5907,47 @@ libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair_mut( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_ce( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_generate_keypair_06( copy_of_randomness, key_pair); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_30 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_3f with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_default_30_1b(void) { - return (libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0{ - libcrux_ml_kem_ind_cpa_unpacked_default_8b_1b(), {0U}}); +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be +libcrux_ml_kem_ind_cca_unpacked_default_3f_89(void) { + return (libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be{ + libcrux_ml_kem_ind_cpa_unpacked_default_50_89(), {0U}}); } /** This function found in impl {core::default::Default for -libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_7b +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_7b_1b(void) { + libcrux_ml_kem_ind_cca_unpacked_default_b1_89(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____0 = { libcrux_ml_kem_ind_cpa_unpacked_default_70_1b(), {0U}}; return (libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked{ - uu____0, libcrux_ml_kem_ind_cca_unpacked_default_30_1b()}); + uu____0, libcrux_ml_kem_ind_cca_unpacked_default_3f_89()}); } /** @@ -5788,7 +5957,7 @@ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair( uint8_t randomness[64U]) { libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked key_pair = - libcrux_ml_kem_ind_cca_unpacked_default_7b_1b(); + libcrux_ml_kem_ind_cca_unpacked_default_b1_89(); uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair_mut(uu____0, @@ -5801,15 +5970,15 @@ libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair( */ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_7b_1b(); + return libcrux_ml_kem_ind_cca_unpacked_default_b1_89(); } /** Create a new, empty unpacked public key. */ -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be libcrux_ml_kem_mlkem768_portable_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_30_1b(); + return libcrux_ml_kem_ind_cca_unpacked_default_3f_89(); } /** @@ -5820,13 +5989,14 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.keys_from_private_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_42( +libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_df( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { @@ -5839,8 +6009,10 @@ libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_42( Eurydice_slice implicit_rejection_value = uu____0.f3; libcrux_ml_kem_ind_cpa_deserialize_vector_1b( ind_cpa_secret_key, - key_pair->private_key.ind_cpa_private_key.secret_as_ntt); - libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_3f( + Eurydice_array_to_slice( + (size_t)3U, key_pair->private_key.ind_cpa_private_key.secret_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); + libcrux_ml_kem_ind_cpa_build_unpacked_public_key_mut_e2( ind_cpa_public_key, &key_pair->public_key.ind_cpa_public_key); Eurydice_slice_copy( Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, @@ -5867,17 +6039,18 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.keypair_from_private_key with const generics - K= 3 +- K_SQUARED= 9 - SECRET_KEY_SIZE= 2400 - CPA_SECRET_KEY_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 - T_AS_NTT_ENCODED_SIZE= 1152 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_fd( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_ce( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_42(private_key, + libcrux_ml_kem_ind_cca_unpacked_keys_from_private_key_df(private_key, key_pair); } @@ -5889,37 +6062,40 @@ libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_from_private_mut( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_fd( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_keypair_from_private_key_ce( private_key, key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_mut_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_42( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_6c( - &self->public_key.ind_cpa_public_key, - &self->private_key.ind_cpa_private_key); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t ind_cpa_public_key[1184U]; - memcpy(ind_cpa_public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_d6( + uint8_t ind_cpa_private_key[1152U] = {0U}; + uint8_t ind_cpa_public_key[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_ind_cpa_serialize_unpacked_secret_key_43( + &self->public_key.ind_cpa_public_key, + &self->private_key.ind_cpa_private_key, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), + &scratch); + libcrux_ml_kem_ind_cca_serialize_kem_secret_key_mut_1f( Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), Eurydice_array_to_slice((size_t)1184U, ind_cpa_public_key, uint8_t), Eurydice_array_to_slice( @@ -5929,24 +6105,25 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_private_key_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPrivateKey_d9 -libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_43( +libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_42( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { libcrux_ml_kem_types_MlKemPrivateKey_d9 sk = libcrux_ml_kem_types_default_d3_28(); - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43(self, &sk); + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_42(self, &sk); return sk; } @@ -5957,7 +6134,7 @@ static inline libcrux_ml_kem_types_MlKemPrivateKey_d9 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_private_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_11_43(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_b1_42(key_pair); } /** @@ -5967,50 +6144,57 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_private_key_mut( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPrivateKey_d9 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_11_43(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_private_key_mut_b1_42(key_pair, serialized); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_6a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_dd_89( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) { - uint8_t ret[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key_89( +libcrux_ml_kem_ind_cca_unpacked_serialized_6a_6c( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *self) { + uint8_t public_key[1184U] = {0U}; + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); + libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - ret); - return libcrux_ml_kem_types_from_fd_d0(ret); + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), &scratch); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); + return libcrux_ml_kem_types_from_fd_d0(copy_of_public_key); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE libcrux_ml_kem_types_MlKemPublicKey_30 -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_89( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_6c( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_dd_89(&self->public_key); + return libcrux_ml_kem_ind_cca_unpacked_serialized_6a_6c(&self->public_key); } /** @@ -6020,49 +6204,54 @@ static inline libcrux_ml_kem_types_MlKemPublicKey_30 libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair) { - return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_11_89(key_pair); + return libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_b1_6c(key_pair); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_dd +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.serialized_mut_6a with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_89( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self, +libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_6c( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector scratch = + libcrux_ml_kem_vector_portable_ZERO_b8(); libcrux_ml_kem_ind_cpa_serialize_public_key_mut_89( self->ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, self->ind_cpa_public_key.seed_for_A, uint8_t), - serialized->value); + Eurydice_array_to_slice((size_t)1184U, serialized->value, uint8_t), + &scratch); } /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_11 with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_89( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_6c( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_89(&self->public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_6c(&self->public_key, serialized); } @@ -6073,24 +6262,25 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key_mut( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_11_89(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_b1_6c(key_pair, serialized); } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cpa::unpacked::IndCpaPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_91 +A monomorphic instance of libcrux_ml_kem.ind_cpa.unpacked.clone_1c with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cpa_unpacked_clone_91_1b( - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *self) { +static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be +libcrux_ml_kem_ind_cpa_unpacked_clone_1c_89( + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)3U, self->t_as_ntt, uu____0, @@ -6098,38 +6288,39 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_91_1b( uint8_t uu____1[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->seed_for_A, uu____1, uint8_t, void *); - libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 lit; + libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_be lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U][3U]; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[9U]; core_array__core__clone__Clone_for__Array_T__N___clone( - (size_t)3U, self->A, ret, - libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U], void *); - memcpy(lit.A, ret, - (size_t)3U * - sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + (size_t)9U, self->A, ret, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d, void *); + memcpy( + lit.A, ret, + (size_t)9U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); return lit; } /** This function found in impl {core::clone::Clone for -libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} +libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_d7 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_86 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_clone_d7_1b( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit; +static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be +libcrux_ml_kem_ind_cca_unpacked_clone_86_89( + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *self) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be lit; lit.ind_cpa_public_key = - libcrux_ml_kem_ind_cpa_unpacked_clone_91_1b(&self->ind_cpa_public_key); + libcrux_ml_kem_ind_cpa_unpacked_clone_1c_89(&self->ind_cpa_public_key); uint8_t ret[32U]; core_array__core__clone__Clone_for__Array_T__N___clone( (size_t)32U, self->public_key_hash, ret, uint8_t, void *); @@ -6139,17 +6330,18 @@ libcrux_ml_kem_ind_cca_unpacked_clone_d7_1b( /** This function found in impl -{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} +{libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_11 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_b1 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 */ -static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 * -libcrux_ml_kem_ind_cca_unpacked_public_key_11_1b( +static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be * +libcrux_ml_kem_ind_cca_unpacked_public_key_b1_89( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -6159,10 +6351,10 @@ libcrux_ml_kem_ind_cca_unpacked_public_key_11_1b( */ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *pk) { - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_d7_1b( - libcrux_ml_kem_ind_cca_unpacked_public_key_11_1b(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *pk) { + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be uu____0 = + libcrux_ml_kem_ind_cca_unpacked_clone_86_89( + libcrux_ml_kem_ind_cca_unpacked_public_key_b1_89(key_pair)); pk[0U] = uu____0; } @@ -6171,9 +6363,9 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key( */ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key( - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *public_key, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_mut_dd_89(public_key, serialized); + libcrux_ml_kem_ind_cca_unpacked_serialized_mut_6a_6c(public_key, serialized); } /** @@ -6181,22 +6373,25 @@ libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key( */ /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.unpack_public_key -with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], +with types libcrux_ml_kem_hash_functions_portable_PortableHash, libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_0a( +libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_1e( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *unpacked_public_key) { Eurydice_slice uu____0 = Eurydice_array_to_subslice_to((size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t, uint8_t[]); libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_1b( - uu____0, unpacked_public_key->ind_cpa_public_key.t_as_ntt); + uu____0, Eurydice_array_to_slice( + (size_t)3U, unpacked_public_key->ind_cpa_public_key.t_as_ntt, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); uint8_t uu____1[32U]; libcrux_ml_kem_utils_into_padded_array_9e( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, @@ -6205,23 +6400,22 @@ libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_0a( uu____1); memcpy(unpacked_public_key->ind_cpa_public_key.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement_1d(*uu____2)[3U] = - unpacked_public_key->ind_cpa_public_key.A; + Eurydice_slice uu____2 = Eurydice_array_to_slice( + (size_t)9U, unpacked_public_key->ind_cpa_public_key.A, + libcrux_ml_kem_polynomial_PolynomialRingElement_1d); uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array_b6( Eurydice_array_to_subslice_from((size_t)1184U, public_key->value, (size_t)1152U, uint8_t, size_t, uint8_t[]), ret); - libcrux_ml_kem_matrix_sample_matrix_A_2b(uu____2, ret, false); - uint8_t uu____3[32U]; - libcrux_ml_kem_hash_functions_portable_H_4a_e0( + libcrux_ml_kem_matrix_sample_matrix_A_57(uu____2, ret, false); + libcrux_ml_kem_hash_functions_portable_H_6e( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_e6_d0(public_key), uint8_t), - uu____3); - memcpy(unpacked_public_key->public_key_hash, uu____3, - (size_t)32U * sizeof(uint8_t)); + Eurydice_array_to_slice((size_t)32U, unpacked_public_key->public_key_hash, + uint8_t)); } /** @@ -6232,15 +6426,16 @@ A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.unpacked.unpack_public_key with const generics - K= 3 +- K_SQUARED= 9 - T_AS_NTT_ENCODED_SIZE= 1152 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_31( +libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_a5( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *unpacked_public_key) { - libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_0a(public_key, + libcrux_ml_kem_ind_cca_unpacked_unpack_public_key_1e(public_key, unpacked_public_key); } @@ -6250,9 +6445,9 @@ libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_31( static inline void libcrux_ml_kem_mlkem768_portable_unpacked_unpacked_public_key( libcrux_ml_kem_types_MlKemPublicKey_30 *public_key, - libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 + libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_be *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_31( + libcrux_ml_kem_ind_cca_instantiations_portable_unpacked_unpack_public_key_a5( public_key, unpacked_public_key); } diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem_core.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem_core.h index 4830c56c9..c3be94e90 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem_core.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_mlkem_core.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_mlkem_core_H @@ -38,8 +38,6 @@ static inline uint32_t core_num__u8__count_ones(uint8_t x0); static inline uint8_t core_num__u8__wrapping_sub(uint8_t x0, uint8_t x1); -#define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) - #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U) #define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) @@ -56,6 +54,8 @@ static inline uint8_t core_num__u8__wrapping_sub(uint8_t x0, uint8_t x1); #define LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE ((size_t)32U) +#define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U) + /** K * BITS_PER_RING_ELEMENT / 8 @@ -311,86 +311,6 @@ static KRML_MUSTINLINE int16_t libcrux_secrets_int_as_i16_f5(int16_t self) { libcrux_secrets_int_public_integers_declassify_d8_39(self)); } -typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair768_s { - uint8_t fst[1152U]; - uint8_t snd[1184U]; -} libcrux_ml_kem_utils_extraction_helper_Keypair768; - -#define Ok 0 -#define Err 1 - -typedef uint8_t Result_b2_tags; - -/** -A monomorphic instance of core.result.Result -with types uint8_t[24size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_b2_s { - Result_b2_tags tag; - union U { - uint8_t case_Ok[24U]; - TryFromSliceError case_Err; - } val; - KRML_UNION_CONSTRUCTOR(Result_b2_s) -} Result_b2; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[24size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_70(Result_b2 self, uint8_t ret[24U]) { - if (self.tag == Ok) { - uint8_t f0[24U]; - memcpy(f0, self.val.case_Ok, (size_t)24U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)24U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - -/** -A monomorphic instance of core.result.Result -with types uint8_t[20size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_e1_s { - Result_b2_tags tag; - union U { - uint8_t case_Ok[20U]; - TryFromSliceError case_Err; - } val; - KRML_UNION_CONSTRUCTOR(Result_e1_s) -} Result_e1; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} -*/ -/** -A monomorphic instance of core.result.unwrap_26 -with types uint8_t[20size_t], core_array_TryFromSliceError - -*/ -static inline void unwrap_26_20(Result_e1 self, uint8_t ret[20U]) { - if (self.tag == Ok) { - uint8_t f0[20U]; - memcpy(f0, self.val.case_Ok, (size_t)20U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)20U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - /** Pad the `slice` with `0`s at the end. */ @@ -433,6 +353,29 @@ libcrux_ml_kem_types_default_d3_28(void) { return (libcrux_ml_kem_types_MlKemPrivateKey_d9{{0U}}); } +typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s { + uint8_t value[1088U]; +} libcrux_ml_kem_mlkem768_MlKem768Ciphertext; + +/** +This function found in impl {core::convert::From<@Array> for +libcrux_ml_kem::types::MlKemCiphertext} +*/ +/** +A monomorphic instance of libcrux_ml_kem.types.from_e0 +with const generics +- SIZE= 1088 +*/ +static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext +libcrux_ml_kem_types_from_e0_80(uint8_t value[1088U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1088U]; + memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; + memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); + return lit; +} + /** A monomorphic instance of libcrux_ml_kem.types.MlKemPublicKey with const generics @@ -501,13 +444,18 @@ libcrux_ml_kem_types_from_77_28(uint8_t value[2400U]) { return lit; } +#define Ok 0 +#define Err 1 + +typedef uint8_t Result_fb_tags; + /** A monomorphic instance of core.result.Result with types uint8_t[32size_t], core_array_TryFromSliceError */ typedef struct Result_fb_s { - Result_b2_tags tag; + Result_fb_tags tag; union U { uint8_t case_Ok[32U]; TryFromSliceError case_Err; @@ -536,10 +484,6 @@ static inline void unwrap_26_b3(Result_fb self, uint8_t ret[32U]) { } } -typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s { - uint8_t value[1088U]; -} libcrux_ml_kem_mlkem768_MlKem768Ciphertext; - /** A monomorphic instance of K. with types libcrux_ml_kem_types_MlKemCiphertext[[$1088size_t]], @@ -552,22 +496,17 @@ typedef struct tuple_c2_s { } tuple_c2; /** -This function found in impl {core::convert::From<@Array> for +This function found in impl {core::default::Default for libcrux_ml_kem::types::MlKemCiphertext} */ /** -A monomorphic instance of libcrux_ml_kem.types.from_e0 +A monomorphic instance of libcrux_ml_kem.types.default_73 with const generics - SIZE= 1088 */ static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext -libcrux_ml_kem_types_from_e0_80(uint8_t value[1088U]) { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_value[1088U]; - memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; - memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); - return lit; +libcrux_ml_kem_types_default_73_80(void) { + return (libcrux_ml_kem_mlkem768_MlKem768Ciphertext{{0U}}); } /** @@ -583,19 +522,6 @@ static inline uint8_t *libcrux_ml_kem_types_as_slice_e6_d0( return self->value; } -/** -This function found in impl {libcrux_ml_kem::types::MlKemCiphertext} -*/ -/** -A monomorphic instance of libcrux_ml_kem.types.as_slice_a9 -with const generics -- SIZE= 1088 -*/ -static inline uint8_t *libcrux_ml_kem_types_as_slice_a9_80( - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { - return self->value; -} - /** A monomorphic instance of libcrux_ml_kem.utils.prf_input_inc with const generics @@ -744,75 +670,6 @@ libcrux_ml_kem_types_unpack_private_key_b4(Eurydice_slice private_key) { implicit_rejection_value}); } -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[24size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_d2(uint8_t self[24U], - uint8_t ret[24U]) { - memcpy(ret, self, (size_t)24U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[20size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_57(uint8_t self[20U], - uint8_t ret[20U]) { - memcpy(ret, self, (size_t)20U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[8size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_76(uint8_t self[8U], - uint8_t ret[8U]) { - memcpy(ret, self, (size_t)8U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Declassify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.declassify_d8 -with types uint8_t[2size_t] - -*/ -static KRML_MUSTINLINE void -libcrux_secrets_int_public_integers_declassify_d8_d4(uint8_t self[2U], - uint8_t ret[2U]) { - memcpy(ret, self, (size_t)2U * sizeof(uint8_t)); -} - -/** -This function found in impl {libcrux_secrets::traits::Classify for T} -*/ -/** -A monomorphic instance of libcrux_secrets.int.public_integers.classify_27 -with types int16_t[16size_t] - -*/ -static KRML_MUSTINLINE void libcrux_secrets_int_public_integers_classify_27_46( - int16_t self[16U], int16_t ret[16U]) { - memcpy(ret, self, (size_t)16U * sizeof(int16_t)); -} - /** This function found in impl {libcrux_secrets::traits::ClassifyRef<&'a (@Slice)> for &'a (@Slice)} @@ -842,38 +699,16 @@ libcrux_secrets_int_classify_public_classify_ref_9b_39(Eurydice_slice self) { } /** -A monomorphic instance of core.result.Result -with types int16_t[16size_t], core_array_TryFromSliceError - -*/ -typedef struct Result_0a_s { - Result_b2_tags tag; - union U { - int16_t case_Ok[16U]; - TryFromSliceError case_Err; - } val; - KRML_UNION_CONSTRUCTOR(Result_0a_s) -} Result_0a; - -/** -This function found in impl {core::result::Result[TraitClause@0, -TraitClause@1]} +This function found in impl {libcrux_secrets::traits::Classify for T} */ /** -A monomorphic instance of core.result.unwrap_26 -with types int16_t[16size_t], core_array_TryFromSliceError +A monomorphic instance of libcrux_secrets.int.public_integers.classify_27 +with types int16_t[16size_t] */ -static inline void unwrap_26_00(Result_0a self, int16_t ret[16U]) { - if (self.tag == Ok) { - int16_t f0[16U]; - memcpy(f0, self.val.case_Ok, (size_t)16U * sizeof(int16_t)); - memcpy(ret, f0, (size_t)16U * sizeof(int16_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } +static KRML_MUSTINLINE void libcrux_secrets_int_public_integers_classify_27_46( + int16_t self[16U], int16_t ret[16U]) { + memcpy(ret, self, (size_t)16U * sizeof(int16_t)); } /** @@ -882,7 +717,7 @@ with types uint8_t[8size_t], core_array_TryFromSliceError */ typedef struct Result_15_s { - Result_b2_tags tag; + Result_fb_tags tag; union U { uint8_t case_Ok[8U]; TryFromSliceError case_Err; diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_avx2.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_avx2.h index 5267d7623..1ca372275 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_avx2.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_portable.h b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_portable.h index ece63ab5e..ed2c94fdf 100644 --- a/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/extracts/cpp_header_only/generated/libcrux_sha3_portable.h @@ -7,8 +7,8 @@ * Charon: 667d2fc98984ff7f3df989c2367e6c1fa4a000e7 * Eurydice: 2381cbc416ef2ad0b561c362c500bc84f36b6785 * Karamel: 80f5435f2fc505973c469a4afcc8d875cddd0d8b - * F*: 71d8221589d4d438af3706d89cb653cf53e18aab - * Libcrux: 68dfed5a4a9e40277f62828471c029afed1ecdcc + * F*: unset + * Libcrux: bf73a8a7a0f119e66b105a3462265b4a2a3af63b */ #ifndef libcrux_sha3_portable_H diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index 3f8e536e5..d1961426a 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -137,7 +137,7 @@ def __call__(self, parser, args, values, option_string=None) -> None: admit_env = {} if args.admit: admit_env = {"OTHERFLAGS": "--admit_smt_queries true"} - shell(["make", "-j4", "-C", "proofs/fstar/extraction/"], env=admit_env) + shell(["make", "-j4", "-k", "-C", "proofs/fstar/extraction/"], env=admit_env) return None diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index 4ed266ec9..952dc7dba 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -2,7 +2,16 @@ SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst \ Libcrux_ml_kem.Vector.Rej_sample_table.fsti ADMIT_MODULES = Libcrux_ml_kem.Ind_cpa.fst \ + Libcrux_ml_kem.Ind_cca.fst \ + Libcrux_ml_kem.Ind_cca.Unpacked.fst \ + Libcrux_ml_kem.Ntt.fst \ + Libcrux_ml_kem.Invert_ntt.fst \ + Libcrux_ml_kem.Polynomial.fst \ + Libcrux_ml_kem.Matrix.fst \ Libcrux_ml_kem.Sampling.fst \ + Libcrux_ml_kem.Vector.Portable.fst \ + Libcrux_ml_kem.Vector.Portable.Arithmetic.fst \ + Libcrux_ml_kem.Vector.Portable.Ntt.fst \ Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \ Libcrux_ml_kem.Vector.Neon.Compress.fst \ Libcrux_ml_kem.Vector.Neon.fsti \ diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst index 9a4aff266..c86687e0d 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst @@ -275,7 +275,7 @@ let byte_decode_then_decompress (d: dT {d <> 12}) (b:t_Array u8 (sz (32 * d))): let serialize_pre (d1: dT) (coefficients: t_Array i16 (sz 16)) - = forall i. i < 16 ==> bounded (Seq.index coefficients i) d1 + = forall i. bounded (Seq.index coefficients i) d1 // TODO: this is an alternative version of byte_encode // rename to encoded bytes diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst index 8d4ed7f47..e08dcb59f 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst @@ -170,9 +170,9 @@ let sample_poly_cbd2 #r seed domain_sep = let sample_vector_cbd1_prf_input (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) (i:usize{i <. r}) : t_Array u8 (sz 33) = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep + v i))) -let sample_vector_cbd1_prf_output (#r:rank) (prf_output:t_Array (t_Array u8 (v_ETA1_RANDOMNESS_SIZE r)) r) (i:usize{i <. r}) : polynomial = - sample_poly_cbd (v_ETA1 r) prf_output.[i] - +let sample_vector_cbd1_prf_output (#r:rank) (prf_output:t_Array u8 (v_ETA1_RANDOMNESS_SIZE r *. r)) (i:usize{i <. r}) : polynomial = + sample_poly_cbd (v_ETA1 r) (Seq.slice prf_output (v i * v (v_ETA1_RANDOMNESS_SIZE r)) (v i * v (v_ETA1_RANDOMNESS_SIZE r) + v (v_ETA1_RANDOMNESS_SIZE r))) + let sample_vector_cbd1 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = let prf_input = createi r (sample_vector_cbd1_prf_input #r seed domain_sep) in let prf_output = v_PRFxN r (v_ETA1_RANDOMNESS_SIZE r) prf_input in @@ -181,8 +181,8 @@ let sample_vector_cbd1 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v d let sample_vector_cbd2_prf_input (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) (i:usize{i <. r}) : t_Array u8 (sz 33) = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep + v i))) -let sample_vector_cbd2_prf_output (#r:rank) (prf_output:t_Array (t_Array u8 (v_ETA2_RANDOMNESS_SIZE r)) r) (i:usize{i <. r}) : polynomial = - sample_poly_cbd (v_ETA2 r) prf_output.[i] +let sample_vector_cbd2_prf_output (#r:rank) (prf_output:t_Array u8 (v_ETA2_RANDOMNESS_SIZE r *. r)) (i:usize{i <. r}) : polynomial = + sample_poly_cbd (v_ETA2 r) (Seq.slice prf_output (v i * v (v_ETA2_RANDOMNESS_SIZE r)) (v i * v (v_ETA2_RANDOMNESS_SIZE r) + v (v_ETA2_RANDOMNESS_SIZE r))) let sample_vector_cbd2 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = let prf_input = createi r (sample_vector_cbd2_prf_input #r seed domain_sep) in diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fsti b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fsti index c512e7e1d..0f0b05764 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fsti +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fsti @@ -368,8 +368,9 @@ val v_G (input: t_Slice u8) : t_Array u8 (sz 64) val v_H (input: t_Slice u8) : t_Array u8 (sz 32) val v_PRF (v_LEN: usize{v v_LEN < pow2 32}) (input: t_Slice u8) : t_Array u8 v_LEN -val v_PRFxN (r:usize{v r == 2 \/ v r == 3 \/ v r == 4}) (v_LEN: usize{v v_LEN < pow2 32}) - (input: t_Array (t_Array u8 (sz 33)) r) : t_Array (t_Array u8 v_LEN) r +val v_PRFxN (r:usize{v r == 2 \/ v r == 3 \/ v r == 4}) (v_LEN: usize{4 * v v_LEN < pow2 32}) + (input: t_Array (t_Array u8 (sz 33)) r) : + t_Array u8 (v_LEN *. r) val v_J (input: t_Slice u8) : t_Array u8 (sz 32) diff --git a/libcrux-ml-kem/proofs/verification_status.md b/libcrux-ml-kem/proofs/verification_status.md index 33feecc6e..3e57a6409 100644 --- a/libcrux-ml-kem/proofs/verification_status.md +++ b/libcrux-ml-kem/proofs/verification_status.md @@ -12,16 +12,17 @@ specifiction of its input-output behavior. We write "yes" when the module is fully proven to satisfy one of these conditions, and "needs proofs" when some functions in the modules still need some proofs in that category. +## `HEAD` of branch `main` (Unreleased) | Category | File | Lax Checking | Runtime Safety | Correctness | | -------- | ----------------- | ------------ | -------------- | ------------ | | _Generic_ | constant_time_ops | yes | yes | yes | | | hash_functions | yes | yes | yes | -| | ind_cpa | yes | yes | yes | -| | ind_cca | yes | yes | yes | +| | ind_cpa | yes | yes | needs proofs | +| | ind_cca | yes | yes | needs proofs | | | instantiations | yes | yes | yes | | | multiplexing | yes | yes | yes | -| | polynomial | yes | yes | yes | +| | polynomial | yes | yes | needs proofs | | | invert_ntt | yes | yes | needs proofs | | | ntt | yes | yes | needs proofs | | | mlkem* | yes | yes | needs proofs | @@ -29,6 +30,42 @@ functions in the modules still need some proofs in that category. | | serialize | yes | needs proofs | needs proofs | | | sampling | yes | needs proofs | needs proofs | | | | | | | +| _Portable_ | arithmetic | yes | yes | needs proofs | +| | ntt | yes | yes | needs proofs | +| | serialize | yes | yes | yes | +| | compress | yes | yes | yes | +| | sampling | yes | yes | needs proofs | +| | | | | | +| _Avx2_ | arithmetic | yes | yes | yes | +| | ntt | yes | yes | yes | +| | serialize | yes | yes | yes | +| | compress | yes | yes | needs proofs | +| | sampling | yes | yes | needs proofs | +| | | | | | +| _Neon_ | arithmetic | yes | needs proofs | needs proofs | +| | ntt | yes | needs proofs | needs proofs | +| | compress | yes | needs proofs | needs proofs | +| | serialize | yes | needs proofs | needs proofs | +| | sampling | yes | needs proofs | needs proofs | + +## Release `v0.0.4` + +| Category | File | Lax Checking | Runtime Safety | Correctness | +| -------- | ----------------- | ------------ | -------------- | ------------ | +| _Generic_ | constant_time_ops | yes | yes | yes | +| | hash_functions | yes | yes | yes | +| | ind_cpa | yes | yes | yes | +| | ind_cca | yes | yes | yes | +| | instantiations | yes | yes | yes | +| | multiplexing | yes | yes | yes | +| | polynomial | yes | yes | yes | +| | invert_ntt | yes | yes | needs proofs | +| | ntt | yes | yes | needs proofs | +| | mlkem* | yes | yes | needs proofs | +| | matrix | yes | needs proofs | needs proofs | +| | serialize | yes | needs proofs | needs proofs | +| | sampling | yes | needs proofs | needs proofs | +| | | | | | | _Portable_ | arithmetic | yes | yes | yes | | | ntt | yes | yes | yes | | | serialize | yes | yes | yes | @@ -46,4 +83,3 @@ functions in the modules still need some proofs in that category. | | compress | yes | needs proofs | needs proofs | | | serialize | yes | needs proofs | needs proofs | | | sampling | yes | needs proofs | needs proofs | - diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 42486a0d9..46365cea8 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -1,5 +1,3 @@ -use crate::constants::SHARED_SECRET_SIZE; - // These are crude attempts to prevent LLVM from optimizing away the code in this // module. This is not guaranteed to work but at the time of writing, achieved // its goals. @@ -111,28 +109,30 @@ pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 #[hax_lib::fstar::options("--ifuel 0 --z3rlimit 50")] #[hax_lib::requires( lhs.len() == rhs.len() && - lhs.len() == SHARED_SECRET_SIZE + out.len() == lhs.len() )] -#[hax_lib::ensures(|result| if selector == 0 {result == lhs} else {result == rhs})] -fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { +#[hax_lib::ensures(|()| if selector == 0 {future(out) == lhs} else {future(out) == rhs})] +fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8, out: &mut [u8]) { + #[cfg(hax)] + let out_orig: std::vec::Vec = out.to_vec(); + let mask = is_non_zero(selector).wrapping_sub(1); hax_lib::fstar!( "assert (if $selector = (mk_u8 0) then $mask = ones else $mask = zero); lognot_lemma $mask; assert (if $selector = (mk_u8 0) then ~.$mask = zero else ~.$mask = ones)" ); - let mut out = [0u8; SHARED_SECRET_SIZE]; - for i in 0..SHARED_SECRET_SIZE { + for i in 0..lhs.len() { hax_lib::loop_invariant!(|i: usize| { fstar!( - r#"v $i <= v $SHARED_SECRET_SIZE /\ + r#"v $i <= v (${lhs.len()}) /\ (forall j. j < v $i ==> (if ($selector =. (mk_u8 0)) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\ - (forall j. j >= v $i ==> Seq.index $out j == (mk_u8 0))"# + Seq.length ${out} == Seq.length ${out_orig}"# ) }); - hax_lib::fstar!(r#"assert ((${out}.[ $i ] <: u8) = (mk_u8 0))"#); let outi = (lhs[i] & mask) | (rhs[i] & !mask); + out[i] = outi; hax_lib::fstar!( r#"if ($selector = (mk_u8 0)) then ( logand_lemma (${lhs}.[ $i ] <: u8) $mask; @@ -142,7 +142,6 @@ fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { logor_lemma ((${lhs}.[ $i ] <: u8) &. $mask <: u8) ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8); assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); logor_lemma (${out}.[ $i ] <: u8) (${lhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); assert ($outi = (${lhs}.[ $i ] <: u8)) ) else ( @@ -154,11 +153,9 @@ fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { assert ((logor zero (${rhs}.[ $i ] <: u8)) == (${rhs}.[ $i ] <: u8)); assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8)) == (${rhs}.[ $i ] <: u8)); logor_lemma (${out}.[ $i ] <: u8) (${rhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); assert ($outi = (${rhs}.[ $i ] <: u8)) )"# ); - out[i] = outi; } hax_lib::fstar!( @@ -169,41 +166,43 @@ fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { eq_intro $out $rhs )" ); - out } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. #[hax_lib::requires( lhs.len() == rhs.len() && - lhs.len() == SHARED_SECRET_SIZE + out.len() == lhs.len() )] -#[hax_lib::ensures(|result| if selector == 0 {result == lhs} else {result == rhs})] +#[hax_lib::ensures(|()| if selector == 0 {future(out) == lhs} else {future(out) == rhs})] pub(crate) fn select_shared_secret_in_constant_time( lhs: &[u8], rhs: &[u8], selector: u8, -) -> [u8; SHARED_SECRET_SIZE] { + out: &mut [u8], +) { #[cfg(eurydice)] - return select_ct(lhs, rhs, selector); + return select_ct(lhs, rhs, selector, out); #[cfg(not(eurydice))] - core::hint::black_box(select_ct(lhs, rhs, selector)) + #[allow(clippy::unit_arg)] + core::hint::black_box(select_ct(lhs, rhs, selector, out)) } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. #[hax_lib::requires( lhs_c.len() == rhs_c.len() && lhs_s.len() == rhs_s.len() && - lhs_s.len() == SHARED_SECRET_SIZE + out.len() == lhs_s.len() )] -#[hax_lib::ensures(|result| if lhs_c == rhs_c {result == lhs_s} else {result == rhs_s})] +#[hax_lib::ensures(|()| if lhs_c == rhs_c {future(out) == lhs_s} else {future(out) == rhs_s})] pub(crate) fn compare_ciphertexts_select_shared_secret_in_constant_time( lhs_c: &[u8], rhs_c: &[u8], lhs_s: &[u8], rhs_s: &[u8], -) -> [u8; SHARED_SECRET_SIZE] { + out: &mut [u8], +) { let selector = compare_ciphertexts_in_constant_time(lhs_c, rhs_c); - select_shared_secret_in_constant_time(lhs_s, rhs_s, selector) + select_shared_secret_in_constant_time(lhs_s, rhs_s, selector, out); } diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index 332693f50..150c57d26 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -8,8 +8,6 @@ // them to be properly abstracted in F*. We would like hax to do this automatically. // Related Issue: https://github.com/hacspec/hax/issues/616 -use crate::constants::{G_DIGEST_SIZE, H_DIGEST_SIZE}; - /// The SHA3 block size. pub(crate) const BLOCK_SIZE: usize = 168; @@ -24,49 +22,59 @@ pub(crate) const THREE_BLOCKS: usize = BLOCK_SIZE * 3; /// - NEON /// - Portable #[hax_lib::attributes] -pub(crate) trait Hash { +pub(crate) trait Hash { /// G aka SHA3 512 #[requires(true)] + #[requires(output.len() == 64)] #[ensures(|result| - fstar!(r#"$result == Spec.Utils.v_G $input"#)) + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_G $input"#)) ] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE]; + fn G(input: &[u8], output: &mut [u8]); /// H aka SHA3 256 #[requires(true)] + #[requires(output.len() == 32)] #[ensures(|result| - fstar!(r#"$result == Spec.Utils.v_H $input"#)) + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_H $input"#)) ] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE]; + fn H(input: &[u8], output: &mut [u8]); /// PRF aka SHAKE256 - #[requires(fstar!(r#"v $LEN < pow2 32"#))] + #[requires(fstar!(r#"v $LEN < pow2 32 /\ + Seq.length ${out} == v $LEN"#))] #[ensures(|result| // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!(r#"v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input"#)) + fstar!(r#"Seq.length ${out}_future == Seq.length ${out} /\ + (v $LEN < pow2 32 ==> + ${out}_future == Spec.Utils.v_PRF $LEN $input)"#)) ] - fn PRF(input: &[u8]) -> [u8; LEN]; + fn PRF(input: &[u8], out: &mut [u8]); /// PRFxN aka N SHAKE256 - #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[ensures(|result| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==> - $result == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K]; + #[requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length $outputs == k * v $out_len)"#))] + #[ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize); /// Create a SHAKE128 state and absorb the input. #[requires(true)] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> Self; + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> Self; /// Squeeze 3 blocks out of the SHAKE128 state. #[requires(true)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; + fn shake128_squeeze_first_three_blocks(&mut self, output: &mut [[u8; THREE_BLOCKS]]); /// Squeeze 1 block out of the SHAKE128 state. #[requires(true)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; + fn shake128_squeeze_next_block(&mut self, output: &mut [[u8; BLOCK_SIZE]]); } /// A portable implementation of [`Hash`] @@ -79,150 +87,151 @@ pub(crate) mod portable { /// It's only used for SHAKE128. /// All other functions don't actually use any members. #[cfg_attr(hax, hax_lib::opaque)] - pub(crate) struct PortableHash { - shake128_state: [KeccakState; K], + pub(crate) struct PortableHash { + shake128_state: [KeccakState; 4], } + #[hax_lib::requires(output.len() == 64)] #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_G $input"#)) + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_G $input"#)) ] #[inline] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { - let mut digest = [0u8; G_DIGEST_SIZE]; - portable::sha512(&mut digest, input); - digest + fn G(input: &[u8], output: &mut [u8]) { + portable::sha512(output, input); } + #[hax_lib::requires(output.len() == 32)] #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_H $input"#)) + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_H $input"#)) ] #[inline] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { - let mut digest = [0u8; H_DIGEST_SIZE]; - portable::sha256(&mut digest, input); - digest + fn H(input: &[u8], output: &mut [u8]) { + portable::sha256(output, input); } - #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))] + #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ + Seq.length ${out} == v $LEN"#))] #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#)) + fstar!(r#"Seq.length ${out}_future == Seq.length ${out} /\ + ${out}_future == Spec.Utils.v_PRF $LEN $input"#)) ] #[inline] - fn PRF(input: &[u8]) -> [u8; LEN] { - let mut digest = [0u8; LEN]; - portable::shake256(&mut digest, input); - digest + fn PRF(input: &[u8], out: &mut [u8]) { + debug_assert!(out.len() == LEN); + portable::shake256(out, input); } - #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] + #[hax_lib::requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length $outputs == k * v $out_len)"#))] + #[hax_lib::ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] #[inline] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - - let mut out = [[0u8; LEN]; K]; - for i in 0..K { - portable::shake256(&mut out[i], &input[i]); + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize) { + for i in 0..input.len() { + portable::shake256(&mut outputs[i * out_len..(i + 1) * out_len], &input[i]); } - out } #[inline] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> PortableHash { - debug_assert!(K == 2 || K == 3 || K == 4); + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> PortableHash { + debug_assert!(input.len() == 2 || input.len() == 3 || input.len() == 4); - let mut shake128_state = PortableHash { - shake128_state: [incremental::shake128_init(); K], - }; - for i in 0..K { - incremental::shake128_absorb_final(&mut shake128_state.shake128_state[i], &input[i]); + let mut shake128_state = [incremental::shake128_init(); 4]; + for i in 0..input.len() { + incremental::shake128_absorb_final(&mut shake128_state[i], &input[i]); } - shake128_state + PortableHash { shake128_state } } #[inline] - fn shake128_squeeze_first_three_blocks( - st: &mut PortableHash, - ) -> [[u8; THREE_BLOCKS]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); + fn shake128_squeeze_first_three_blocks( + st: &mut PortableHash, + outputs: &mut [[u8; THREE_BLOCKS]], + ) { + debug_assert!(outputs.len() == 2 || outputs.len() == 3 || outputs.len() == 4); - let mut out = [[0u8; THREE_BLOCKS]; K]; - for i in 0..K { + for i in 0..outputs.len() { incremental::shake128_squeeze_first_three_blocks( &mut st.shake128_state[i], - &mut out[i], + &mut outputs[i], ); } - out } #[inline] - fn shake128_squeeze_next_block( - st: &mut PortableHash, - ) -> [[u8; BLOCK_SIZE]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); + fn shake128_squeeze_next_block(st: &mut PortableHash, outputs: &mut [[u8; BLOCK_SIZE]]) { + debug_assert!(outputs.len() == 2 || outputs.len() == 3 || outputs.len() == 4); - let mut out = [[0u8; BLOCK_SIZE]; K]; - for i in 0..K { - incremental::shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); + for i in 0..outputs.len() { + incremental::shake128_squeeze_next_block(&mut st.shake128_state[i], &mut outputs[i]); } - out } #[hax_lib::attributes] - impl Hash for PortableHash { - #[ensures(|out| - fstar!(r#"$out == Spec.Utils.v_G $input"#)) + impl Hash for PortableHash { + #[requires(output.len() == 64)] + #[ensures(|_| + fstar!(r#"${output}_future == Spec.Utils.v_G $input"#)) ] #[inline] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { - G(input) + fn G(input: &[u8], output: &mut [u8]) { + G(input, output) } - #[ensures(|out| - fstar!(r#"$out == Spec.Utils.v_H $input"#)) + #[requires(output.len() == 32)] + #[ensures(|_| + fstar!(r#"${output}_future == Spec.Utils.v_H $input"#)) ] #[inline] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { - H(input) + fn H(input: &[u8], output: &mut [u8]) { + H(input, output) } #[requires(fstar!(r#"v $LEN < pow2 32"#))] - #[ensures(|out| + #[ensures(|_| // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#)) + fstar!(r#"v $LEN < pow2 32 ==> ${out}_future == Spec.Utils.v_PRF $LEN $input"#)) ] #[inline] - fn PRF(input: &[u8]) -> [u8; LEN] { - PRF::(input) - } - - #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[ensures(|out| - fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==> - $out == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] + fn PRF(input: &[u8], out: &mut [u8]) { + PRF::(input, out) + } + + #[requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length $outputs == k * v $out_len)"#))] + #[ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] #[inline] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { - PRFxN::(input) + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize) { + PRFxN(input, outputs, out_len) } - #[inline] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> Self { + #[inline(always)] + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> Self { shake128_init_absorb_final(input) } - #[inline] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + #[inline(always)] + fn shake128_squeeze_first_three_blocks(&mut self, output: &mut [[u8; THREE_BLOCKS]]) { + shake128_squeeze_first_three_blocks(self, output) } - #[inline] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + #[inline(always)] + fn shake128_squeeze_next_block(&mut self, output: &mut [[u8; BLOCK_SIZE]]) { + shake128_squeeze_next_block(self, output) } } } @@ -245,130 +254,144 @@ pub(crate) mod avx2 { shake128_state: KeccakState, } - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_G $input"#)) + #[hax_lib::requires(output.len() == 64)] + #[hax_lib::ensures(|_| + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_G $input"#)) ] #[inline(always)] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { - let mut digest = [0u8; G_DIGEST_SIZE]; - portable::sha512(&mut digest, input); - digest + fn G(input: &[u8], output: &mut [u8]) { + portable::sha512(output, input); } - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_H $input"#)) + #[hax_lib::requires(output.len() == 32)] + #[hax_lib::ensures(|_| + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_H $input"#)) ] #[inline(always)] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { - let mut digest = [0u8; H_DIGEST_SIZE]; - portable::sha256(&mut digest, input); - digest + fn H(input: &[u8], output: &mut [u8]) { + portable::sha256(output, input); } #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))] #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#)) + fstar!(r#"Seq.length ${out}_future == Seq.length ${out} /\ + ${out}_future == Spec.Utils.v_PRF $LEN $input"#)) ] #[inline(always)] - fn PRF(input: &[u8]) -> [u8; LEN] { - let mut digest = [0u8; LEN]; - portable::shake256(&mut digest, input); - digest + fn PRF(input: &[u8], out: &mut [u8]) { + debug_assert!(out.len() == LEN); + portable::shake256(out, input); } - #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] + #[hax_lib::requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length $outputs == k * v $out_len)"#))] + #[hax_lib::ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] #[inline(always)] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - let mut out = [[0u8; LEN]; K]; - let mut out0 = [0u8; LEN]; - let mut out1 = [0u8; LEN]; - let mut out2 = [0u8; LEN]; - let mut out3 = [0u8; LEN]; - - match K as u8 { + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize) { + // XXX: The buffer sizes here are the maximum that we will + // need. PRFxN is called to fill N buffers of size + // `ETA1/2_RANDOMNESS_SIZE`. The maximum value for + // `ETA1/2_RANDOMNESS_SIZE` is in ML-KEM 512 with `ETA1 = 3` + // and `ETA1_RANDOMNESS_SIZE = ETA1 * 64`. This means, + // unfortunately, that we overallocate and oversample in the + // other cases. + let mut dummy0 = [0u8; 3 * 64]; + let mut dummy1 = [0u8; 3 * 64]; + + // XXX: If I understood correctly, the x4/2 SHAKEs assume that + // the output buffers are the same length and will write + // `out0.len()` bytes of output into all of them. That's okay + // for us, just want to document the assumption. + match input.len() as u8 { 2 => { + let (out0, out1) = outputs.split_at_mut(out_len); + x4::shake256( - &input[0], &input[1], &input[0], &input[0], &mut out0, &mut out1, &mut out2, - &mut out3, + &input[0], + &input[1], + &input[0], + &input[0], + out0, + out1, + &mut dummy0[..out_len], + &mut dummy1[..out_len], ); - out[0] = out0; - out[1] = out1; } 3 => { + let (out0, rest) = outputs.split_at_mut(out_len); + let (out1, out2) = rest.split_at_mut(out_len); x4::shake256( - &input[0], &input[1], &input[2], &input[0], &mut out0, &mut out1, &mut out2, - &mut out3, + &input[0], + &input[1], + &input[2], + &input[0], + out0, + out1, + out2, + &mut dummy1[..out_len], ); - out[0] = out0; - out[1] = out1; - out[2] = out2; } 4 => { + let (out0, rest) = outputs.split_at_mut(out_len); + let (out1, rest) = rest.split_at_mut(out_len); + let (out2, out3) = rest.split_at_mut(out_len); x4::shake256( - &input[0], &input[1], &input[2], &input[3], &mut out0, &mut out1, &mut out2, - &mut out3, + &input[0], &input[1], &input[2], &input[3], out0, out1, out2, out3, ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; } + #[cfg(not(eurydice))] _ => unreachable!("This function must only be called with N = 2, 3, 4"), + #[cfg(eurydice)] + _ => unreachable!(), } - out } #[inline(always)] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> Simd256Hash { - debug_assert!(K == 2 || K == 3 || K == 4); - let mut state = Simd256Hash { - shake128_state: x4::incremental::init(), - }; + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> Simd256Hash { + debug_assert!(input.len() == 2 || input.len() == 3 || input.len() == 4); + let mut state = x4::incremental::init(); - match K as u8 { + match input.len() as u8 { 2 => { x4::incremental::shake128_absorb_final( - &mut state.shake128_state, - &input[0], - &input[1], - &input[0], - &input[0], + &mut state, &input[0], &input[1], &input[0], &input[0], ); } 3 => { x4::incremental::shake128_absorb_final( - &mut state.shake128_state, - &input[0], - &input[1], - &input[2], - &input[0], + &mut state, &input[0], &input[1], &input[2], &input[0], ); } 4 => { x4::incremental::shake128_absorb_final( - &mut state.shake128_state, - &input[0], - &input[1], - &input[2], - &input[3], + &mut state, &input[0], &input[1], &input[2], &input[3], ); } + #[cfg(not(eurydice))] _ => unreachable!("This function must only be called with N = 2, 3, 4"), + #[cfg(eurydice)] + _ => unreachable!(), } - state + Simd256Hash { + shake128_state: state, + } } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_first_three_blocks( st: &mut Simd256Hash, - ) -> [[u8; THREE_BLOCKS]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - let mut out = [[0u8; THREE_BLOCKS]; K]; + outputs: &mut [[u8; THREE_BLOCKS]], + ) { + debug_assert!(outputs.len() == 2 || outputs.len() == 3 || outputs.len() == 4); let mut out0 = [0u8; THREE_BLOCKS]; let mut out1 = [0u8; THREE_BLOCKS]; let mut out2 = [0u8; THREE_BLOCKS]; @@ -380,31 +403,32 @@ pub(crate) mod avx2 { &mut out2, &mut out3, ); - match K as u8 { + match outputs.len() as u8 { 2 => { - out[0] = out0; - out[1] = out1; + outputs[0] = out0; + outputs[1] = out1; } 3 => { - out[0] = out0; - out[1] = out1; - out[2] = out2; + outputs[0] = out0; + outputs[1] = out1; + outputs[2] = out2; } 4 => { - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; + outputs[0] = out0; + outputs[1] = out1; + outputs[2] = out2; + outputs[3] = out3; } + #[cfg(not(eurydice))] _ => unreachable!("This function must only be called with N = 2, 3, 4"), + #[cfg(eurydice)] + _ => unreachable!(), } - out } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - let mut out = [[0u8; BLOCK_SIZE]; K]; + fn shake128_squeeze_next_block(st: &mut Simd256Hash, outputs: &mut [[u8; BLOCK_SIZE]]) { + debug_assert!(outputs.len() == 2 || outputs.len() == 3 || outputs.len() == 4); let mut out0 = [0u8; BLOCK_SIZE]; let mut out1 = [0u8; BLOCK_SIZE]; let mut out2 = [0u8; BLOCK_SIZE]; @@ -416,78 +440,89 @@ pub(crate) mod avx2 { &mut out2, &mut out3, ); - match K as u8 { + match outputs.len() as u8 { 2 => { - out[0] = out0; - out[1] = out1; + outputs[0] = out0; + outputs[1] = out1; } 3 => { - out[0] = out0; - out[1] = out1; - out[2] = out2; + outputs[0] = out0; + outputs[1] = out1; + outputs[2] = out2; } 4 => { - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; + outputs[0] = out0; + outputs[1] = out1; + outputs[2] = out2; + outputs[3] = out3; } + #[cfg(not(eurydice))] _ => unreachable!("This function is only called with 2, 3, 4"), + #[cfg(eurydice)] + _ => unreachable!(), } - out } #[hax_lib::attributes] - impl Hash for Simd256Hash { - #[ensures(|out| - fstar!(r#"$out == Spec.Utils.v_G $input"#)) + impl Hash for Simd256Hash { + #[requires(output.len() == 64)] + #[ensures(|_| + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_G $input"#)) ] #[inline(always)] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { - G(input) + fn G(input: &[u8], output: &mut [u8]) { + G(input, output) } - #[ensures(|out| - fstar!(r#"$out == Spec.Utils.v_H $input"#)) + #[requires(output.len() == 32)] + #[ensures(|_| + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_H $input"#)) ] #[inline(always)] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { - H(input) + fn H(input: &[u8], output: &mut [u8]) { + H(input, output) } #[requires(fstar!(r#"v $LEN < pow2 32"#))] - #[hax_lib::ensures(|out| + #[hax_lib::ensures(|_| // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#)) + fstar!(r#"Seq.length ${out}_future == Seq.length ${out} /\ + (v $LEN < pow2 32 ==> ${out}_future == Spec.Utils.v_PRF $LEN $input)"#)) ] #[inline(always)] - fn PRF(input: &[u8]) -> [u8; LEN] { - PRF::(input) - } - - #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[ensures(|out| - fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==> - $out == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] + fn PRF(input: &[u8], out: &mut [u8]) { + PRF::(input, out) + } + + #[requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length $outputs == k * v $out_len)"#))] + #[ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] #[inline(always)] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { - PRFxN::(input) + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize) { + PRFxN(input, outputs, out_len) } #[inline(always)] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> Self { + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> Self { shake128_init_absorb_final(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_first_three_blocks(&mut self, outputs: &mut [[u8; THREE_BLOCKS]]) { + shake128_squeeze_first_three_blocks(self, outputs); } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_next_block(&mut self, outputs: &mut [[u8; BLOCK_SIZE]]) { + shake128_squeeze_next_block(self, outputs); } } } @@ -507,93 +542,97 @@ pub(crate) mod neon { shake128_state: [KeccakState; 2], } - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_G $input"#)) + #[hax_lib::requires(output.len() == 64)] + #[hax_lib::ensures(|_| + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_G $input"#)) ] #[inline(always)] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { - let mut digest = [0u8; G_DIGEST_SIZE]; - libcrux_sha3::neon::sha512(&mut digest, input); - digest + fn G(input: &[u8], output: &mut [u8]) { + libcrux_sha3::neon::sha512(output, input); } - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_H $input"#)) + #[hax_lib::requires(output.len() == 32)] + #[hax_lib::ensures(|_| + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_H $input"#)) ] #[inline(always)] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { - let mut digest = [0u8; H_DIGEST_SIZE]; - libcrux_sha3::neon::sha256(&mut digest, input); - digest + fn H(input: &[u8], output: &mut [u8]) { + libcrux_sha3::neon::sha256(output, input); } #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32"#))] - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_PRF $LEN $input"#)) + #[hax_lib::ensures(|()| + fstar!(r#"Seq.length ${out}_future == Seq.length ${out} /\ + ${out}_future == Spec.Utils.v_PRF $LEN $input"#)) ] #[inline(always)] - fn PRF(input: &[u8]) -> [u8; LEN] { - let mut digest = [0u8; LEN]; + fn PRF(input: &[u8], out: &mut [u8]) { + debug_assert!(out.len() == LEN); let mut dummy = [0u8; LEN]; - x2::shake256(input, input, &mut digest, &mut dummy); - digest + x2::shake256(input, input, out, &mut dummy); } - #[hax_lib::requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] + #[hax_lib::requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs} == k * v $out_len)"#))] + #[hax_lib::ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] #[inline(always)] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - let mut out = [[0u8; LEN]; K]; - let mut out0 = [0u8; LEN]; - let mut out1 = [0u8; LEN]; - let mut out2 = [0u8; LEN]; - let mut out3 = [0u8; LEN]; - match K as u8 { + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize) { + // XXX: The buffer sizes here are the maximum that we will + // need. PRFxN is called to fill N buffers of size + // `ETA1/2_RANDOMNESS_SIZE`. The maximum value for + // `ETA1/2_RANDOMNESS_SIZE` is in ML-KEM 512 with `ETA1 = 3` + // and `ETA1_RANDOMNESS_SIZE = ETA1 * 64`. This means, + // unfortunately, that we overallocate and oversample in the + // other cases. + let mut dummy = [0u8; 3 * 64]; + + match input.len() as u8 { 2 => { - x2::shake256(&input[0], &input[1], &mut out0, &mut out1); - out[0] = out0; - out[1] = out1; + let (out0, out1) = outputs.split_at_mut(out_len); + x2::shake256(&input[0], &input[1], out0, out1); } 3 => { - x2::shake256(&input[0], &input[1], &mut out0, &mut out1); - x2::shake256(&input[2], &input[2], &mut out2, &mut out3); - out[0] = out0; - out[1] = out1; - out[2] = out2; + let (out0, rest) = outputs.split_at_mut(out_len); + let (out1, out2) = rest.split_at_mut(out_len); + x2::shake256(&input[0], &input[1], out0, out1); + x2::shake256(&input[2], &input[0], out2, &mut dummy[..out2.len()]); } 4 => { - x2::shake256(&input[0], &input[1], &mut out0, &mut out1); - x2::shake256(&input[2], &input[3], &mut out2, &mut out3); - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; + let (out0, rest) = outputs.split_at_mut(out_len); + let (out1, rest) = rest.split_at_mut(out_len); + let (out2, out3) = rest.split_at_mut(out_len); + x2::shake256(&input[0], &input[1], out0, out1); + x2::shake256(&input[2], &input[3], out2, out3); } - _ => unreachable!("Only 2, 3, or 4 are supported for N"), + #[cfg(not(eurydice))] + _ => unreachable!("This function must only be called with N = 2, 3, 4"), + #[cfg(eurydice)] + _ => unreachable!(), } - out } #[inline(always)] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> Simd128Hash { - debug_assert!(K == 2 || K == 3 || K == 4); + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> Simd128Hash { + debug_assert!(input.len() == 2 || input.len() == 3 || input.len() == 4); + let mut state = [x2::incremental::init(), x2::incremental::init()]; - match K as u8 { - 2 => { - x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); - } - 3 => { - x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); - x2::incremental::shake128_absorb_final(&mut state[1], &input[2], &input[2]); - } - 4 => { - x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); - x2::incremental::shake128_absorb_final(&mut state[1], &input[2], &input[3]); - } - _ => unreachable!("This function can only called be called with N = 2, 3, 4"), + + if input.len() == 2 { + x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); + } else if input.len() == 3 { + x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); + x2::incremental::shake128_absorb_final(&mut state[1], &input[2], &input[2]); + } else if input.len() == 4 { + x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); + x2::incremental::shake128_absorb_final(&mut state[1], &input[2], &input[3]); } Simd128Hash { @@ -602,171 +641,156 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_first_three_blocks( st: &mut Simd128Hash, - ) -> [[u8; THREE_BLOCKS]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - - let mut out = [[0u8; THREE_BLOCKS]; K]; - let mut out0 = [0u8; THREE_BLOCKS]; - let mut out1 = [0u8; THREE_BLOCKS]; - let mut out2 = [0u8; THREE_BLOCKS]; - let mut out3 = [0u8; THREE_BLOCKS]; + outputs: &mut [[u8; THREE_BLOCKS]], + ) { + let len = outputs.len(); + debug_assert!(len == 2 || len == 3 || len == 4); + + let (out0, rem) = outputs.split_at_mut(1); + let (out1, rem) = rem.split_at_mut(1); + + if len == 2 { + x2::incremental::shake128_squeeze_first_three_blocks( + &mut st.shake128_state[0], + &mut out0[0], + &mut out1[0], + ); + } else if len == 3 { + let mut tmp = [0u8; THREE_BLOCKS]; + let (out2, _) = rem.split_at_mut(1); + + x2::incremental::shake128_squeeze_first_three_blocks( + &mut st.shake128_state[0], + &mut out0[0], + &mut out1[0], + ); + x2::incremental::shake128_squeeze_first_three_blocks( + &mut st.shake128_state[1], + &mut out2[0], + &mut tmp, + ); + } else if len == 4 { + let (out2, out3) = rem.split_at_mut(1); - match K as u8 { - 2 => { - x2::incremental::shake128_squeeze_first_three_blocks( - &mut st.shake128_state[0], - &mut out0, - &mut out1, - ); - out[0] = out0; - out[1] = out1; - } - 3 => { - x2::incremental::shake128_squeeze_first_three_blocks( - &mut st.shake128_state[0], - &mut out0, - &mut out1, - ); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut st.shake128_state[1], - &mut out2, - &mut out3, - ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - } - 4 => { - x2::incremental::shake128_squeeze_first_three_blocks( - &mut st.shake128_state[0], - &mut out0, - &mut out1, - ); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut st.shake128_state[1], - &mut out2, - &mut out3, - ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; - } - _ => unreachable!("This function can only called be called with N = 2, 3, 4"), + x2::incremental::shake128_squeeze_first_three_blocks( + &mut st.shake128_state[0], + &mut out0[0], + &mut out1[0], + ); + x2::incremental::shake128_squeeze_first_three_blocks( + &mut st.shake128_state[1], + &mut out2[0], + &mut out3[0], + ); } - out } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { - debug_assert!(K == 2 || K == 3 || K == 4); - - let mut out = [[0u8; BLOCK_SIZE]; K]; - let mut out0 = [0u8; BLOCK_SIZE]; - let mut out1 = [0u8; BLOCK_SIZE]; - let mut out2 = [0u8; BLOCK_SIZE]; - let mut out3 = [0u8; BLOCK_SIZE]; + fn shake128_squeeze_next_block(st: &mut Simd128Hash, outputs: &mut [[u8; BLOCK_SIZE]]) { + let len = outputs.len(); + debug_assert!(len == 2 || len == 3 || len == 4); + + let (out0, rem) = outputs.split_at_mut(1); + let (out1, rem) = rem.split_at_mut(1); + + if len == 2 { + x2::incremental::shake128_squeeze_next_block( + &mut st.shake128_state[0], + &mut out0[0], + &mut out1[0], + ); + } else if len == 3 { + let mut tmp = [0u8; BLOCK_SIZE]; + let (out2, _) = rem.split_at_mut(1); + + x2::incremental::shake128_squeeze_next_block( + &mut st.shake128_state[0], + &mut out0[0], + &mut out1[0], + ); + x2::incremental::shake128_squeeze_next_block( + &mut st.shake128_state[1], + &mut out2[0], + &mut tmp, + ); + } else if len == 4 { + let (out2, out3) = rem.split_at_mut(1); - match K as u8 { - 2 => { - x2::incremental::shake128_squeeze_next_block( - &mut st.shake128_state[0], - &mut out0, - &mut out1, - ); - out[0] = out0; - out[1] = out1; - } - 3 => { - x2::incremental::shake128_squeeze_next_block( - &mut st.shake128_state[0], - &mut out0, - &mut out1, - ); - x2::incremental::shake128_squeeze_next_block( - &mut st.shake128_state[1], - &mut out2, - &mut out3, - ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - } - 4 => { - x2::incremental::shake128_squeeze_next_block( - &mut st.shake128_state[0], - &mut out0, - &mut out1, - ); - x2::incremental::shake128_squeeze_next_block( - &mut st.shake128_state[1], - &mut out2, - &mut out3, - ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; - } - _ => unreachable!("This function is only called with N = 2, 3, 4"), + x2::incremental::shake128_squeeze_next_block( + &mut st.shake128_state[0], + &mut out0[0], + &mut out1[0], + ); + x2::incremental::shake128_squeeze_next_block( + &mut st.shake128_state[1], + &mut out2[0], + &mut out3[0], + ); } - out } #[hax_lib::attributes] - impl Hash for Simd128Hash { + impl Hash for Simd128Hash { + #[requires(output.len() == 64)] #[ensures(|out| - fstar!(r#"$out == Spec.Utils.v_G $input"#)) + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_G $input"#)) ] #[inline(always)] - fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { - G(input) + fn G(input: &[u8], output: &mut [u8]) { + G(input, output) } + #[requires(output.len() == 32)] #[ensures(|out| - fstar!(r#"$out == Spec.Utils.v_H $input"#)) + fstar!(r#"Seq.length ${output}_future == Seq.length ${output} /\ + ${output}_future == Spec.Utils.v_H $input"#)) ] #[inline(always)] - fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { - H(input) + fn H(input: &[u8], output: &mut [u8]) { + H(input, output) } #[requires(fstar!(r#"v $LEN < pow2 32"#))] #[ensures(|out| // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!(r#"v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input"#)) + fstar!(r#"Seq.length ${out}_future == Seq.length ${out} /\ + (v $LEN < pow2 32 ==> ${out}_future == Spec.Utils.v_PRF $LEN $input)"#)) ] #[inline(always)] - fn PRF(input: &[u8]) -> [u8; LEN] { - PRF::(input) - } - - #[requires(fstar!(r#"v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)"#))] - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!(r#"(v $LEN < pow2 32 /\ (v $K == 2 \/ v $K == 3 \/ v $K == 4)) ==> - $out == Spec.Utils.v_PRFxN $K $LEN $input"#)) - ] + fn PRF(input: &[u8], out: &mut [u8]) { + PRF::(input, out) + } + + #[requires(fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == k * v $out_len)"#))] + #[ensures(|result| fstar!(r#"let k = Seq.length $input in + ((k == 2 \/ k == 3 \/ k == 4) /\ + (4 * v $out_len < pow2 32) /\ + Seq.length ${outputs}_future == Seq.length ${outputs} /\ + ${outputs}_future == Spec.Utils.v_PRFxN (sz k) $out_len $input)"#))] #[inline(always)] - fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { - PRFxN::(input) + fn PRFxN(input: &[[u8; 33]], outputs: &mut [u8], out_len: usize) { + PRFxN(input, outputs, out_len) } #[inline(always)] - fn shake128_init_absorb_final(input: &[[u8; 34]; K]) -> Self { + fn shake128_init_absorb_final(input: &[[u8; 34]]) -> Self { shake128_init_absorb_final(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_first_three_blocks(&mut self, output: &mut [[u8; THREE_BLOCKS]]) { + shake128_squeeze_first_three_blocks(self, output); } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_next_block(&mut self, output: &mut [[u8; BLOCK_SIZE]]) { + shake128_squeeze_next_block(self, output); } } } diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index a6efa4354..3aded1f0c 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -1,12 +1,13 @@ use crate::{ constant_time_ops::compare_ciphertexts_select_shared_secret_in_constant_time, constants::{ - ranked_bytes_per_ring_element, CPA_PKE_KEY_GENERATION_SEED_SIZE, H_DIGEST_SIZE, - SHARED_SECRET_SIZE, + ranked_bytes_per_ring_element, CPA_PKE_KEY_GENERATION_SEED_SIZE, G_DIGEST_SIZE, + H_DIGEST_SIZE, SHARED_SECRET_SIZE, }, hash_functions::Hash, - ind_cpa::serialize_public_key, - serialize::deserialize_ring_elements_reduced_out, + ind_cpa::serialize_public_key_mut, + polynomial::PolynomialRingElement, + serialize::deserialize_ring_elements_reduced, types::*, utils::into_padded_array, variant::*, @@ -41,7 +42,6 @@ pub(crate) mod instantiations; pub(crate) mod incremental; /// Serialize the secret key. - #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 150")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ @@ -53,11 +53,7 @@ pub(crate) mod incremental; Seq.append $public_key ( Seq.append (Spec.Utils.v_H $public_key) $implicit_rejection_value))"#))] -fn serialize_kem_secret_key_mut< - const K: usize, - const SERIALIZED_KEY_LEN: usize, - Hasher: Hash, ->( +fn serialize_kem_secret_key_mut( private_key: &[u8], public_key: &[u8], implicit_rejection_value: &[u8], @@ -68,7 +64,10 @@ fn serialize_kem_secret_key_mut< pointer += private_key.len(); serialized[pointer..pointer + public_key.len()].copy_from_slice(public_key); pointer += public_key.len(); - serialized[pointer..pointer + H_DIGEST_SIZE].copy_from_slice(&Hasher::H(public_key)); + Hasher::H( + public_key, + &mut serialized[pointer..pointer + H_DIGEST_SIZE], + ); pointer += H_DIGEST_SIZE; serialized[pointer..pointer + implicit_rejection_value.len()] .copy_from_slice(implicit_rejection_value); @@ -83,7 +82,7 @@ fn serialize_kem_secret_key_mut< (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K +! Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) - `Seq.equal` Libcrux_ml_kem.Hash_functions.f_H #$:Hasher #$K $public_key); + `Seq.equal` Spec.Utils.v_H $public_key); assert (Seq.slice serialized (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K +! Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) @@ -92,37 +91,10 @@ fn serialize_kem_secret_key_mut< Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +! Spec.MLKEM.v_SHARED_SECRET_SIZE)) == $implicit_rejection_value); - lemma_slice_append_4 serialized $private_key $public_key (Libcrux_ml_kem.Hash_functions.f_H #$:Hasher #$K $public_key) $implicit_rejection_value" + lemma_slice_append_4 serialized $private_key $public_key (Spec.Utils.v_H $public_key) $implicit_rejection_value" ); } -#[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ - $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ - ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ - ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ - ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))] -#[hax_lib::ensures(|result| fstar!(r#"$result == Seq.append $private_key ( - Seq.append $public_key ( - Seq.append (Spec.Utils.v_H $public_key) - $implicit_rejection_value))"#))] -fn serialize_kem_secret_key>( - private_key: &[u8], - public_key: &[u8], - implicit_rejection_value: &[u8], -) -> [u8; SERIALIZED_KEY_LEN] { - let mut out = [0u8; SERIALIZED_KEY_LEN]; - - serialize_kem_secret_key_mut::( - private_key, - public_key, - implicit_rejection_value, - &mut out, - ); - out -} - /// Validate an ML-KEM public key. /// /// This implements the Modulus check in 7.2 2. @@ -138,12 +110,19 @@ pub(crate) fn validate_public_key< >( public_key: &[u8; PUBLIC_KEY_SIZE], ) -> bool { - let deserialized_pk = deserialize_ring_elements_reduced_out::( + let mut deserialized_pk: [PolynomialRingElement; K] = + core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); + deserialize_ring_elements_reduced::( &public_key[..ranked_bytes_per_ring_element(K)], + &mut deserialized_pk, ); - let public_key_serialized = serialize_public_key::( + let mut public_key_serialized = [0u8; PUBLIC_KEY_SIZE]; + let mut scratch = Vector::ZERO(); + serialize_public_key_mut::( &deserialized_pk, &public_key[ranked_bytes_per_ring_element(K)..], + &mut public_key_serialized, + &mut scratch, ); *public_key == public_key_serialized @@ -163,7 +142,7 @@ pub(crate) fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, const CIPHERTEXT_SIZE: usize, - Hasher: Hash, + Hasher: Hash, >( private_key: &MlKemPrivateKey, _ciphertext: &MlKemCiphertext, @@ -181,14 +160,14 @@ pub(crate) fn validate_private_key< pub(crate) fn validate_private_key_only< const K: usize, const SECRET_KEY_SIZE: usize, - Hasher: Hash, + Hasher: Hash, >( private_key: &MlKemPrivateKey, ) -> bool { // Eurydice can't access values directly on the types. We need to go to the // `value` directly. - - let t = Hasher::H(&private_key.value[384 * K..768 * K + 32]); + let mut t = [0u8; H_DIGEST_SIZE]; + Hasher::H(&private_key.value[384 * K..768 * K + 32], &mut t); let expected = &private_key.value[768 * K + 32..768 * K + 64]; t == expected } @@ -211,13 +190,15 @@ pub(crate) fn validate_private_key_only< #[inline(always)] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, Scheme: Variant, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], @@ -225,21 +206,33 @@ pub(crate) fn generate_keypair< let ind_cpa_keypair_randomness = &randomness[0..CPA_PKE_KEY_GENERATION_SEED_SIZE]; let implicit_rejection_value = &randomness[CPA_PKE_KEY_GENERATION_SEED_SIZE..]; - let (ind_cpa_private_key, public_key) = crate::ind_cpa::generate_keypair::< + let mut ind_cpa_private_key = [0u8; CPA_PRIVATE_KEY_SIZE]; + let mut public_key = [0u8; PUBLIC_KEY_SIZE]; + let mut scratch = PolynomialRingElement::::ZERO(); + crate::ind_cpa::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, Vector, Hasher, Scheme, - >(ind_cpa_keypair_randomness); + >( + ind_cpa_keypair_randomness, + &mut ind_cpa_private_key, + &mut public_key, + &mut scratch, + ); - let secret_key_serialized = serialize_kem_secret_key::( + let mut secret_key_serialized = [0u8; PRIVATE_KEY_SIZE]; + serialize_kem_secret_key_mut::( &ind_cpa_private_key, &public_key, implicit_rejection_value, + &mut secret_key_serialized, ); let private_key: MlKemPrivateKey = MlKemPrivateKey::from(secret_key_serialized); @@ -266,6 +259,7 @@ pub(crate) fn generate_keypair< #[inline(always)] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -278,29 +272,39 @@ pub(crate) fn encapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, Scheme: Variant, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { - let randomness = Scheme::entropy_preprocess::(randomness); - let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness); + let mut processed_randomness = [0u8; 32]; + Scheme::entropy_preprocess::(randomness, &mut processed_randomness); + let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&processed_randomness); hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $randomness"#); - to_hash[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(public_key.as_slice())); + Hasher::H(public_key.as_slice(), &mut to_hash[H_DIGEST_SIZE..]); hax_lib::fstar!( "assert (Seq.slice to_hash 0 (v $H_DIGEST_SIZE) == $randomness); lemma_slice_append $to_hash $randomness (Spec.Utils.v_H ${public_key}.f_value); assert ($to_hash == concat $randomness (Spec.Utils.v_H ${public_key}.f_value))" ); - let hashed = Hasher::G(&to_hash); + let mut hashed = [0u8; G_DIGEST_SIZE]; + Hasher::G(&to_hash, &mut hashed); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); - let ciphertext = crate::ind_cpa::encrypt::< + let mut ciphertext = MlKemCiphertext::default(); + let mut r_as_ntt: [PolynomialRingElement; K] = + core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); + let mut error_2 = PolynomialRingElement::::ZERO(); + let mut scratch = PolynomialRingElement::::ZERO(); + crate::ind_cpa::encrypt::< K, + K_SQUARED, CIPHERTEXT_SIZE, T_AS_NTT_ENCODED_SIZE, C1_SIZE, @@ -312,14 +316,27 @@ pub(crate) fn encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, - >(public_key.as_slice(), &randomness, pseudorandomness); + >( + public_key.as_slice(), + &processed_randomness, + pseudorandomness, + &mut ciphertext.value, + &mut r_as_ntt, + &mut error_2, + &mut scratch, + ); - ( - MlKemCiphertext::from(ciphertext), - Scheme::kdf::(shared_secret, &ciphertext), - ) + let mut shared_secret_array = [0u8; 32]; + Scheme::kdf::( + shared_secret, + &ciphertext.value, + &mut shared_secret_array, + ); + (ciphertext, shared_secret_array) } /// This code verifies on some machines, runs out of memory on others @@ -346,6 +363,7 @@ pub(crate) fn encapsulate< #[inline(always)] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -360,9 +378,11 @@ pub(crate) fn decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, Scheme: Variant, >( private_key: &MlKemPrivateKey, @@ -382,14 +402,22 @@ pub(crate) fn decapsulate< assert ($implicit_rejection_value == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) (length ${private_key}.f_value))"# ); - let decrypted = crate::ind_cpa::decrypt::< + let mut decrypted = [0u8; 32]; + let mut scratch = PolynomialRingElement::::ZERO(); + + crate::ind_cpa::decrypt::< K, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, Vector, - >(ind_cpa_secret_key, &ciphertext.value); + >( + ind_cpa_secret_key, + &ciphertext.value, + &mut decrypted, + &mut scratch, + ); let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $decrypted"#); @@ -400,7 +428,8 @@ pub(crate) fn decapsulate< assert ($decrypted == Spec.MLKEM.ind_cpa_decrypt $K $ind_cpa_secret_key ${ciphertext}.f_value); assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)"# ); - let hashed = Hasher::G(&to_hash); + let mut hashed = [0u8; G_DIGEST_SIZE]; + Hasher::G(&to_hash, &mut hashed); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); hax_lib::fstar!( @@ -416,17 +445,22 @@ pub(crate) fn decapsulate< hax_lib::fstar!( "assert_norm (pow2 32 == 0x100000000); assert (v (sz 32) < pow2 32); - assert (i1.f_PRF_pre (sz 32) $to_hash); lemma_slice_append $to_hash $implicit_rejection_value ${ciphertext}.f_value" ); - let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash); + let mut implicit_rejection_shared_secret = [0u8; SHARED_SECRET_SIZE]; + Hasher::PRF::(&to_hash, &mut implicit_rejection_shared_secret); hax_lib::fstar!( "assert ($implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) $to_hash); assert (Seq.length $ind_cpa_public_key == v $PUBLIC_KEY_SIZE)" ); - let expected_ciphertext = crate::ind_cpa::encrypt::< + let mut expected_ciphertext = [0u8; CIPHERTEXT_SIZE]; + let mut r_as_ntt: [PolynomialRingElement; K] = + core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); + let mut error_2 = PolynomialRingElement::::ZERO(); + crate::ind_cpa::encrypt::< K, + K_SQUARED, CIPHERTEXT_SIZE, T_AS_NTT_ENCODED_SIZE, C1_SIZE, @@ -438,23 +472,42 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, - >(ind_cpa_public_key, &decrypted, pseudorandomness); + >( + ind_cpa_public_key, + &decrypted, + pseudorandomness, + &mut expected_ciphertext, + &mut r_as_ntt, + &mut error_2, + &mut scratch, + ); - let implicit_rejection_shared_secret = Scheme::kdf::( + let mut implicit_rejection_shared_secret_kdf = [0u8; SHARED_SECRET_SIZE]; + Scheme::kdf::( &implicit_rejection_shared_secret, - ciphertext.as_slice(), + &ciphertext.value, + &mut implicit_rejection_shared_secret_kdf, + ); + let mut shared_secret_kdf = [0u8; SHARED_SECRET_SIZE]; + Scheme::kdf::( + shared_secret, + &ciphertext.value, + &mut shared_secret_kdf, ); - let shared_secret = - Scheme::kdf::(shared_secret, ciphertext.as_slice()); + let mut shared_secret = [0u8; 32]; compare_ciphertexts_select_shared_secret_in_constant_time( ciphertext.as_ref(), &expected_ciphertext, - &shared_secret, - &implicit_rejection_shared_secret, - ) + &shared_secret_kdf, + &implicit_rejection_shared_secret_kdf, + &mut shared_secret, + ); + shared_secret } /// Types for the unpacked API. @@ -468,7 +521,7 @@ pub(crate) mod unpacked { }, hash_functions::portable::PortableHash, ind_cpa::{self, generate_keypair_unpacked, serialize_public_key_mut, unpacked::*}, - matrix::sample_matrix_A, + matrix::{self, sample_matrix_A}, polynomial::PolynomialRingElement, serialize::deserialize_ring_elements_reduced, vector::traits::Operations, @@ -482,20 +535,21 @@ pub(crate) mod unpacked { /// An unpacked ML-KEM IND-CCA Private Key #[derive(Clone)] - pub struct MlKemPublicKeyUnpacked { - pub(crate) ind_cpa_public_key: IndCpaPublicKeyUnpacked, + pub struct MlKemPublicKeyUnpacked { + pub(crate) ind_cpa_public_key: IndCpaPublicKeyUnpacked, pub(crate) public_key_hash: [u8; 32], } /// An unpacked ML-KEM KeyPair - pub struct MlKemKeyPairUnpacked { + pub struct MlKemKeyPairUnpacked { pub private_key: MlKemPrivateKeyUnpacked, - pub public_key: MlKemPublicKeyUnpacked, + pub public_key: MlKemPublicKeyUnpacked, } /// Generate an unpacked key from a serialized key. #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED = v $K * v $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#) )] @@ -511,13 +565,14 @@ pub(crate) mod unpacked { #[inline(always)] pub(crate) fn unpack_public_key< const K: usize, + const K_SQUARED: usize, const T_AS_NTT_ENCODED_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - Hasher: Hash, + Hasher: Hash, Vector: Operations, >( public_key: &MlKemPublicKey, - unpacked_public_key: &mut MlKemPublicKeyUnpacked, + unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { deserialize_ring_elements_reduced::( &public_key.value[..T_AS_NTT_ENCODED_SIZE], @@ -535,11 +590,16 @@ pub(crate) mod unpacked { &into_padded_array(&public_key.value[T_AS_NTT_ENCODED_SIZE..]), false, ); - unpacked_public_key.public_key_hash = Hasher::H(public_key.as_slice()); + Hasher::H( + public_key.as_slice(), + &mut unpacked_public_key.public_key_hash, + ); } #[hax_lib::attributes] - impl MlKemPublicKeyUnpacked { + impl + MlKemPublicKeyUnpacked + { /// Get the serialized public key. #[inline(always)] #[requires(fstar!(r#"let ${self_} = self in @@ -560,10 +620,12 @@ pub(crate) mod unpacked { &self, serialized: &mut MlKemPublicKey, ) { + let mut scratch = Vector::ZERO(); serialize_public_key_mut::( &self.ind_cpa_public_key.t_as_ntt, &self.ind_cpa_public_key.seed_for_A, &mut serialized.value, + &mut scratch, ); } @@ -583,14 +645,21 @@ pub(crate) mod unpacked { ${self_.ind_cpa_public_key.seed_for_A})"#) )] pub fn serialized(&self) -> MlKemPublicKey { - MlKemPublicKey::from(serialize_public_key::( + let mut public_key = [0u8; PUBLIC_KEY_SIZE]; + let mut scratch = Vector::ZERO(); + serialize_public_key_mut::( &self.ind_cpa_public_key.t_as_ntt, &self.ind_cpa_public_key.seed_for_A, - )) + &mut public_key, + &mut scratch, + ); + MlKemPublicKey::from(public_key) } } - impl Default for MlKemPublicKeyUnpacked { + impl Default + for MlKemPublicKeyUnpacked + { #[inline(always)] fn default() -> Self { Self { @@ -609,6 +678,7 @@ pub(crate) mod unpacked { v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))] pub fn keys_from_private_key< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -616,7 +686,7 @@ pub(crate) mod unpacked { Vector: Operations, >( private_key: &MlKemPrivateKey, - key_pair: &mut MlKemKeyPairUnpacked, + key_pair: &mut MlKemKeyPairUnpacked, ) { let ( ind_cpa_secret_key, @@ -629,7 +699,13 @@ pub(crate) mod unpacked { ind_cpa_secret_key, &mut key_pair.private_key.ind_cpa_private_key.secret_as_ntt, ); - ind_cpa::build_unpacked_public_key_mut::>( + ind_cpa::build_unpacked_public_key_mut::< + K, + K_SQUARED, + T_AS_NTT_ENCODED_SIZE, + Vector, + PortableHash, + >( ind_cpa_public_key, &mut key_pair.public_key.ind_cpa_public_key, ); @@ -649,7 +725,9 @@ pub(crate) mod unpacked { } #[hax_lib::attributes] - impl MlKemKeyPairUnpacked { + impl + MlKemKeyPairUnpacked + { /// Create a new empty unpacked key pair. #[inline(always)] pub fn new() -> Self { @@ -674,6 +752,7 @@ pub(crate) mod unpacked { let mut out = Self::default(); keys_from_private_key::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -730,7 +809,7 @@ pub(crate) mod unpacked { /// Get the serialized public key. #[inline(always)] - pub fn public_key(&self) -> &MlKemPublicKeyUnpacked { + pub fn public_key(&self) -> &MlKemPublicKeyUnpacked { &self.public_key } @@ -754,17 +833,24 @@ pub(crate) mod unpacked { &self, serialized: &mut MlKemPrivateKey, ) { - let (ind_cpa_private_key, ind_cpa_public_key) = ind_cpa::serialize_unpacked_secret_key::< + let mut ind_cpa_private_key = [0u8; CPA_PRIVATE_KEY_SIZE]; + let mut ind_cpa_public_key = [0u8; PUBLIC_KEY_SIZE]; + let mut scratch = Vector::ZERO(); + ind_cpa::serialize_unpacked_secret_key::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, Vector, >( &self.public_key.ind_cpa_public_key, &self.private_key.ind_cpa_private_key, + &mut ind_cpa_private_key, + &mut ind_cpa_public_key, + &mut scratch, ); - serialize_kem_secret_key_mut::>( + serialize_kem_secret_key_mut::( &ind_cpa_private_key, &ind_cpa_public_key, &self.private_key.implicit_rejection_value, @@ -791,7 +877,9 @@ pub(crate) mod unpacked { } } - impl Default for MlKemKeyPairUnpacked { + impl Default + for MlKemKeyPairUnpacked + { #[inline(always)] fn default() -> Self { Self { @@ -804,17 +892,23 @@ pub(crate) mod unpacked { } } + // TODO #[hax_lib::fstar::options("--z3rlimit 200")] #[hax_lib::fstar::before(r#"[@ "opaque_to_smt"]"#)] + #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ + Seq.length ind_cpa_a == v $K_SQUARED"#))] #[hax_lib::ensures(|result| fstar!(r#"forall (i: nat). i < v $K ==> (forall (j: nat). j < v $K ==> - Seq.index (Seq.index $result i) j == - Seq.index (Seq.index $ind_cpa_a j) i)"#)) + Seq.index $result (i * v $K + j) == + Seq.index $ind_cpa_a (j * v $K + i))"#)) ] - fn transpose_a( - ind_cpa_a: [[PolynomialRingElement; K]; K], - ) -> [[PolynomialRingElement; K]; K] { + #[inline(always)] + fn transpose_a( + ind_cpa_a: &[PolynomialRingElement], + ) -> [PolynomialRingElement; K_SQUARED] { + debug_assert!(ind_cpa_a.len() == K_SQUARED); // We need to un-transpose the A_transpose matrix provided by IND-CPA // We would like to write the following but it is not supported by Eurydice yet. // https://github.com/AeneasVerif/eurydice/issues/39 @@ -824,28 +918,28 @@ pub(crate) mod unpacked { // }); #[allow(non_snake_case)] - let mut A = from_fn(|_i| from_fn(|_j| PolynomialRingElement::::ZERO())); + let mut A = from_fn(|_i| PolynomialRingElement::::ZERO()); for i in 0..K { hax_lib::loop_invariant!(|i: usize| { fstar!( r#"forall (j: nat). j < v $i ==> (forall (k: nat). k < v $K ==> - Seq.index (Seq.index $A j) k == - Seq.index (Seq.index $ind_cpa_a k) j)"# + Seq.index $A (j * v $K + k) == + Seq.index $ind_cpa_a (k * v $K + j))"# ) }); - let _a_i = A; + #[cfg(hax)] + let _a_i = A.clone(); for j in 0..K { hax_lib::loop_invariant!(|j: usize| { fstar!( - r#"(forall (k: nat). k < v $i ==> - Seq.index $A k == Seq.index $_a_i k) /\ - (forall (k: nat). k < v $j ==> - Seq.index (Seq.index $A (v $i)) k == - Seq.index (Seq.index $ind_cpa_a k) (v $i))"# + r#"(forall (k: nat). k < v $j ==> + Seq.index $A (v $i * v $K + k) == + Seq.index $ind_cpa_a (k * v $K + v $i))"# ) }); - A[i][j] = ind_cpa_a[j][i].clone(); + // XXX: Making the clone explicit, since we would like to drop `Vector: Copy` in the future. + A[i * K + j] = matrix::entry::(ind_cpa_a, j, i).clone(); } } A @@ -855,6 +949,7 @@ pub(crate) mod unpacked { #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 300 --ext context_pruning --split_queries always")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))] @@ -868,29 +963,41 @@ pub(crate) mod unpacked { ] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, Scheme: Variant, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], - out: &mut MlKemKeyPairUnpacked, + out: &mut MlKemKeyPairUnpacked, ) { let ind_cpa_keypair_randomness = &randomness[0..CPA_PKE_KEY_GENERATION_SEED_SIZE]; let implicit_rejection_value = &randomness[CPA_PKE_KEY_GENERATION_SEED_SIZE..]; - - generate_keypair_unpacked::( + let mut scratch = PolynomialRingElement::::ZERO(); + generate_keypair_unpacked::< + K, + K_SQUARED, + ETA1, + ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + Vector, + Hasher, + Scheme, + >( ind_cpa_keypair_randomness, &mut out.private_key.ind_cpa_private_key, &mut out.public_key.ind_cpa_public_key, + &mut scratch, ); #[allow(non_snake_case)] - let A = transpose_a::(out.public_key.ind_cpa_public_key.A); + let A = transpose_a::(&out.public_key.ind_cpa_public_key.A); hax_lib::fstar!( r#"let (ind_cpa_keypair_randomness, _) = split $randomness Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE in let ((((_, _), matrix_A_as_ntt), _), sufficient_randomness) = @@ -913,17 +1020,22 @@ pub(crate) mod unpacked { ); out.public_key.ind_cpa_public_key.A = A; - let pk_serialized = serialize_public_key::( + let mut pk_serialized = [0u8; PUBLIC_KEY_SIZE]; + let mut scratch = Vector::ZERO(); + serialize_public_key_mut::( &out.public_key.ind_cpa_public_key.t_as_ntt, &out.public_key.ind_cpa_public_key.seed_for_A, + &mut pk_serialized, + &mut scratch, ); - out.public_key.public_key_hash = Hasher::H(&pk_serialized); + Hasher::H(&pk_serialized, &mut out.public_key.public_key_hash); out.private_key.implicit_rejection_value = implicit_rejection_value.try_into().unwrap(); } // Encapsulate with Unpacked Public Key #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -945,6 +1057,7 @@ pub(crate) mod unpacked { ] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -957,17 +1070,25 @@ pub(crate) mod unpacked { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( - public_key: &MlKemPublicKeyUnpacked, + public_key: &MlKemPublicKeyUnpacked, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { let hashed = encaps_prepare::(randomness, &public_key.public_key_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); - let ciphertext = ind_cpa::encrypt_unpacked::< + let mut ciphertext = [0u8; CIPHERTEXT_SIZE]; + let mut r_as_ntt: [PolynomialRingElement; K] = + from_fn(|_i| PolynomialRingElement::::ZERO()); + let mut error_2 = PolynomialRingElement::::ZERO(); + let mut scratch = PolynomialRingElement::::ZERO(); + ind_cpa::encrypt_unpacked::< K, + K_SQUARED, CIPHERTEXT_SIZE, T_AS_NTT_ENCODED_SIZE, C1_SIZE, @@ -979,12 +1100,18 @@ pub(crate) mod unpacked { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, >( &public_key.ind_cpa_public_key, - &randomness, + randomness, pseudorandomness, + &mut ciphertext, + &mut r_as_ntt, + &mut error_2, + &mut scratch, ); let mut shared_secret_array = [0u8; SHARED_SECRET_SIZE]; shared_secret_array.copy_from_slice(shared_secret); @@ -993,7 +1120,7 @@ pub(crate) mod unpacked { #[hax_lib::requires(randomness.len() == 32 && pk_hash.len() == 32)] #[hax_lib::ensures(|result| fstar!("result == Spec.Utils.v_G (concat randomness pk_hash)"))] - pub(crate) fn encaps_prepare>( + pub(crate) fn encaps_prepare( randomness: &[u8], pk_hash: &[u8], ) -> [u8; 64] { @@ -1007,14 +1134,16 @@ pub(crate) mod unpacked { "eq_intro $to_hash ( concat $randomness $pk_hash)" ); - - Hasher::G(&to_hash) + let mut output = [0u8; G_DIGEST_SIZE]; + Hasher::G(&to_hash, &mut output); + output } // Decapsulate with Unpacked Private Key #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 200 --ext context_pruning")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -1037,6 +1166,7 @@ pub(crate) mod unpacked { ] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -1051,11 +1181,13 @@ pub(crate) mod unpacked { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( - key_pair: &MlKemKeyPairUnpacked, + key_pair: &MlKemKeyPairUnpacked, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { hax_lib::fstar!( @@ -1065,14 +1197,23 @@ pub(crate) mod unpacked { assert (v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) == 32 * v (Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K)); assert (v (Spec.MLKEM.v_C2_SIZE $K) == 32 * v (Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K))"# ); - let decrypted = ind_cpa::decrypt_unpacked::< + let mut decrypted = [0u8; SHARED_SECRET_SIZE]; + + let mut scratch = PolynomialRingElement::::ZERO(); + + ind_cpa::decrypt_unpacked::< K, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, Vector, - >(&key_pair.private_key.ind_cpa_private_key, &ciphertext.value); + >( + &key_pair.private_key.ind_cpa_private_key, + &ciphertext.value, + &mut decrypted, + &mut scratch, + ); let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); hax_lib::fstar!(r#"eq_intro (Seq.slice $to_hash 0 32) $decrypted"#); @@ -1081,7 +1222,8 @@ pub(crate) mod unpacked { r#"lemma_slice_append $to_hash $decrypted ${key_pair}.f_public_key.f_public_key_hash"# ); - let hashed = Hasher::G(&to_hash); + let mut hashed = [0u8; G_DIGEST_SIZE]; + Hasher::G(&to_hash, &mut hashed); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] = @@ -1094,10 +1236,16 @@ pub(crate) mod unpacked { hax_lib::fstar!( "lemma_slice_append $to_hash ${key_pair}.f_private_key.f_implicit_rejection_value ${ciphertext}.f_value" ); - let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash); - - let expected_ciphertext = ind_cpa::encrypt_unpacked::< + let mut implicit_rejection_shared_secret = [0u8; SHARED_SECRET_SIZE]; + Hasher::PRF::(&to_hash, &mut implicit_rejection_shared_secret); + + let mut expected_ciphertext = [0u8; CIPHERTEXT_SIZE]; + let mut r_as_ntt: [PolynomialRingElement; K] = + from_fn(|_i| PolynomialRingElement::::ZERO()); + let mut error_2 = PolynomialRingElement::::ZERO(); + ind_cpa::encrypt_unpacked::< K, + K_SQUARED, CIPHERTEXT_SIZE, T_AS_NTT_ENCODED_SIZE, C1_SIZE, @@ -1109,21 +1257,30 @@ pub(crate) mod unpacked { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, >( &key_pair.public_key.ind_cpa_public_key, &decrypted, pseudorandomness, + &mut expected_ciphertext, + &mut r_as_ntt, + &mut error_2, + &mut scratch, ); let selector = compare_ciphertexts_in_constant_time(ciphertext.as_ref(), &expected_ciphertext); + let mut shared_secret_array = [0u8; SHARED_SECRET_SIZE]; select_shared_secret_in_constant_time( shared_secret, &implicit_rejection_shared_secret, selector, - ) + &mut shared_secret_array, + ); + shared_secret_array } } diff --git a/libcrux-ml-kem/src/ind_cca/incremental.rs b/libcrux-ml-kem/src/ind_cca/incremental.rs index f9ab76139..ac1901790 100644 --- a/libcrux-ml-kem/src/ind_cca/incremental.rs +++ b/libcrux-ml-kem/src/ind_cca/incremental.rs @@ -4,8 +4,10 @@ //! //! **WARNING:** This API is not standard compliant and may lead to insecure //! usage. Use at your own risk. +use core::array::from_fn; + use crate::{ - constants::BITS_PER_RING_ELEMENT, + constants::{BITS_PER_RING_ELEMENT, H_DIGEST_SIZE}, hash_functions::Hash, ind_cca::{unpacked::MlKemPrivateKeyUnpacked, validate_public_key}, ind_cpa::{self, unpacked::IndCpaPrivateKeyUnpacked}, @@ -53,7 +55,7 @@ pub(crate) mod portable { impl_incr_platform!( vector::portable::PortableVector, - crate::hash_functions::portable::PortableHash + crate::hash_functions::portable::PortableHash ); } @@ -71,25 +73,29 @@ pub(crate) mod multiplexing; #[inline(always)] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], -) -> MlKemKeyPairUnpacked { +) -> MlKemKeyPairUnpacked { // Generate unpacked key pair. let mut kp = MlKemKeyPairUnpacked::new(); super::unpacked::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, Vector, Hasher, variant::MlKem, @@ -107,15 +113,17 @@ pub(crate) fn generate_keypair< #[inline(always)] pub(crate) fn generate_keypair_compressed< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, const KEYPAIR_LEN: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut [u8; KEYPAIR_LEN], @@ -124,17 +132,19 @@ pub(crate) fn generate_keypair_compressed< let mut kp = MlKemKeyPairUnpacked::new(); super::unpacked::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, Vector, Hasher, variant::MlKem, >(randomness, &mut kp); - let kp = KeyPair::::from(kp); + let kp = KeyPair::::from(kp); kp.to_bytes_compressed::(key_pair); } @@ -147,14 +157,16 @@ pub(crate) fn generate_keypair_compressed< #[inline(always)] pub(crate) fn generate_keypair_serialized< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut [u8], @@ -163,23 +175,26 @@ pub(crate) fn generate_keypair_serialized< let mut kp = MlKemKeyPairUnpacked::new(); super::unpacked::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, Vector, Hasher, variant::MlKem, >(randomness, &mut kp); - let kp = KeyPair::::from(kp); + let kp = KeyPair::::from(kp); kp.to_bytes(key_pair) } #[inline(always)] pub(crate) fn encapsulate1< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const C1_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, @@ -188,8 +203,10 @@ pub(crate) fn encapsulate1< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( pk1: &PublicKey1, randomness: [u8; SHARED_SECRET_SIZE], @@ -198,12 +215,17 @@ pub(crate) fn encapsulate1< let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); // Rebuild the matrix A from the seed - let mut matrix = [[PolynomialRingElement::::ZERO(); K]; K]; + let mut matrix = [PolynomialRingElement::::ZERO(); K_SQUARED]; sample_matrix_A::(&mut matrix, &into_padded_array(&pk1.seed), false); let mut ciphertext = [0u8; C1_SIZE]; - let (r_as_ntt, error2) = ind_cpa::encrypt_c1::< + let mut r_as_ntt: [PolynomialRingElement; K] = + from_fn(|_i| PolynomialRingElement::::ZERO()); + let mut error2 = PolynomialRingElement::::ZERO(); + let mut scratch = PolynomialRingElement::::ZERO(); + ind_cpa::encrypt_c1::< K, + K_SQUARED, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_U_BLOCK_LEN, @@ -211,9 +233,18 @@ pub(crate) fn encapsulate1< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, - >(&pseudorandomness, &matrix, &mut ciphertext); + >( + &pseudorandomness, + &matrix, + &mut ciphertext, + &mut r_as_ntt, + &mut error2, + &mut scratch, + ); let state = EncapsState { randomness, @@ -230,6 +261,7 @@ pub(crate) fn encapsulate1< #[inline(always)] pub(crate) fn encapsulate1_serialized< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const C1_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, @@ -238,8 +270,10 @@ pub(crate) fn encapsulate1_serialized< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( pk1: &PublicKey1, randomness: [u8; SHARED_SECRET_SIZE], @@ -253,6 +287,7 @@ pub(crate) fn encapsulate1_serialized< let (ct1, encaps_state, ss) = encapsulate1::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -261,6 +296,8 @@ pub(crate) fn encapsulate1_serialized< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, >(pk1, randomness); @@ -275,12 +312,7 @@ pub(crate) fn encapsulate1_serialized< /// Check that the pk1 and pk2 parts are consistent. #[inline(always)] -pub(crate) fn validate_pk< - const K: usize, - const PK_LEN: usize, - Hasher: Hash, - Vector: Operations, ->( +pub(crate) fn validate_pk( pk1: &PublicKey1, pk2: &[u8], ) -> Result<(), Error> { @@ -297,7 +329,7 @@ pub(crate) fn validate_pk< pub(crate) fn validate_pk_bytes< const K: usize, const PK_LEN: usize, - Hasher: Hash, + Hasher: Hash, Vector: Operations, >( pk1: &[u8], @@ -312,7 +344,7 @@ pub(crate) fn validate_pk_bytes< } #[inline(always)] -fn validate_pk_parts, Vector: Operations>( +fn validate_pk_parts( pk1_seed: &[u8], pk1_hash: &[u8], pk2: &[u8], @@ -325,7 +357,8 @@ fn validate_pk_parts, Vecto pk[0..pk2_len].copy_from_slice(&pk2); pk[pk2_len..].copy_from_slice(&pk1_seed); - let hash = Hasher::H(&pk); + let mut hash = [0u8; H_DIGEST_SIZE]; + Hasher::H(&pk, &mut hash); if hash != pk1_hash { return Err(Error::InvalidPublicKey); } @@ -350,6 +383,7 @@ pub(crate) fn encapsulate2< pk2: &PublicKey2, ) -> Ciphertext2 { let mut ciphertext = [0u8; C2_SIZE]; + let mut scratch = PolynomialRingElement::::ZERO(); let t_as_ntt = pk2.deserialize(); ind_cpa::encrypt_c2::( @@ -358,6 +392,7 @@ pub(crate) fn encapsulate2< &state.error2, &state.randomness, &mut ciphertext, + &mut scratch, ); Ciphertext2 { value: ciphertext } @@ -386,6 +421,7 @@ pub(crate) fn encapsulate2_serialized< #[inline(always)] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -400,11 +436,13 @@ pub(crate) fn decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( - private_key: &MlKemKeyPairUnpacked, + private_key: &MlKemKeyPairUnpacked, ciphertext1: &Ciphertext1, ciphertext2: &Ciphertext2, ) -> MlKemSharedSecret { @@ -413,6 +451,7 @@ pub(crate) fn decapsulate< ciphertext[C1_SIZE..].copy_from_slice(&ciphertext2.value); crate::ind_cca::unpacked::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -427,6 +466,8 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, Vector, Hasher, @@ -436,6 +477,7 @@ pub(crate) fn decapsulate< #[inline(always)] pub(crate) fn decapsulate_incremental_key< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, @@ -451,16 +493,18 @@ pub(crate) fn decapsulate_incremental_key< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( key: &[u8], ciphertext1: &Ciphertext1, ciphertext2: &Ciphertext2, ) -> Result { // Build an unpacked key pair from the input bytes. - let key_pair: KeyPair = KeyPair::from_bytes(key)?; + let key_pair: KeyPair = KeyPair::from_bytes(key)?; let mut ciphertext = [0u8; CIPHERTEXT_SIZE]; ciphertext[..C1_SIZE].copy_from_slice(&ciphertext1.value); @@ -468,6 +512,7 @@ pub(crate) fn decapsulate_incremental_key< Ok(crate::ind_cca::unpacked::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -482,6 +527,8 @@ pub(crate) fn decapsulate_incremental_key< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, Vector, Hasher, @@ -491,6 +538,7 @@ pub(crate) fn decapsulate_incremental_key< #[inline(always)] pub(crate) fn decapsulate_compressed_key< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, @@ -506,9 +554,11 @@ pub(crate) fn decapsulate_compressed_key< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( private_key: &[u8; SECRET_KEY_SIZE], ciphertext1: &Ciphertext1, @@ -520,6 +570,7 @@ pub(crate) fn decapsulate_compressed_key< crate::ind_cca::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -534,6 +585,8 @@ pub(crate) fn decapsulate_compressed_key< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, Vector, Hasher, diff --git a/libcrux-ml-kem/src/ind_cca/incremental/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/incremental/multiplexing.rs index 486992dc7..128555cf0 100644 --- a/libcrux-ml-kem/src/ind_cca/incremental/multiplexing.rs +++ b/libcrux-ml-kem/src/ind_cca/incremental/multiplexing.rs @@ -69,12 +69,14 @@ pub(crate) mod alloc { #[inline(always)] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], ) -> Box { @@ -84,34 +86,40 @@ pub(crate) mod alloc { let keys = unsafe { generate_keypair_avx2::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness) }; Box::new(keys) } else if libcrux_platform::simd128_support() { Box::new(generate_keypair_neon::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness)) } else { Box::new(portable::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness)) } } @@ -119,6 +127,7 @@ pub(crate) mod alloc { #[inline(always)] pub(crate) fn encapsulate1< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const C1_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, @@ -127,6 +136,8 @@ pub(crate) mod alloc { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key_part: &PublicKey1, randomness: [u8; SHARED_SECRET_SIZE], @@ -141,6 +152,7 @@ pub(crate) mod alloc { let (c, s, ss) = unsafe { encapsulate1_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -149,12 +161,15 @@ pub(crate) mod alloc { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness) }; (c, Box::new(s), ss) } else if libcrux_platform::simd128_support() { let (c, s, ss) = encapsulate1_neon::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -163,11 +178,14 @@ pub(crate) mod alloc { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness); (c, Box::new(s), ss) } else { let (c, s, ss) = portable::encapsulate1::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -176,6 +194,8 @@ pub(crate) mod alloc { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness); (c, Box::new(s), ss) } @@ -226,6 +246,7 @@ pub(crate) mod alloc { #[inline(always)] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -240,6 +261,8 @@ pub(crate) mod alloc { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &dyn Keys, @@ -254,6 +277,7 @@ pub(crate) mod alloc { unsafe { decapsulate_avx2::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -268,6 +292,8 @@ pub(crate) mod alloc { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } @@ -275,6 +301,7 @@ pub(crate) mod alloc { let private_key = as_neon_keypair(private_key.as_any()); decapsulate_neon::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -289,12 +316,15 @@ pub(crate) mod alloc { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } else { let private_key = portable::as_keypair(private_key.as_any()); portable::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -309,6 +339,8 @@ pub(crate) mod alloc { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } @@ -318,6 +350,7 @@ pub(crate) mod alloc { #[inline(always)] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, @@ -325,6 +358,7 @@ pub(crate) fn generate_keypair< const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut [u8], @@ -335,6 +369,7 @@ pub(crate) fn generate_keypair< unsafe { generate_keypair_serialized_avx2::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, @@ -342,11 +377,13 @@ pub(crate) fn generate_keypair< BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, key_pair) } } else if libcrux_platform::simd128_support() { generate_keypair_serialized_neon::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, @@ -354,10 +391,12 @@ pub(crate) fn generate_keypair< BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, key_pair) } else { portable::generate_keypair_serialized::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, @@ -365,6 +404,7 @@ pub(crate) fn generate_keypair< BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, key_pair) } } @@ -372,6 +412,7 @@ pub(crate) fn generate_keypair< #[inline(always)] pub(crate) fn generate_keypair_compressed< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, @@ -379,6 +420,7 @@ pub(crate) fn generate_keypair_compressed< const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, const KEYPAIR_LEN: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], @@ -390,6 +432,7 @@ pub(crate) fn generate_keypair_compressed< unsafe { generate_keypair_compressed_avx2::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, @@ -397,12 +440,14 @@ pub(crate) fn generate_keypair_compressed< BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, KEYPAIR_LEN, >(randomness, key_pair) } } else if libcrux_platform::simd128_support() { generate_keypair_compressed_neon::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, @@ -410,11 +455,13 @@ pub(crate) fn generate_keypair_compressed< BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, KEYPAIR_LEN, >(randomness, key_pair) } else { portable::generate_keypair_compressed::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, @@ -422,6 +469,7 @@ pub(crate) fn generate_keypair_compressed< BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, KEYPAIR_LEN, >(randomness, key_pair) } @@ -466,6 +514,7 @@ pub(crate) fn validate_pk_bytes( #[inline(always)] pub(crate) fn encapsulate1< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const C1_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, @@ -474,6 +523,8 @@ pub(crate) fn encapsulate1< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key_part: &PublicKey1, randomness: [u8; SHARED_SECRET_SIZE], @@ -486,6 +537,7 @@ pub(crate) fn encapsulate1< unsafe { encapsulate1_serialized_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -494,11 +546,14 @@ pub(crate) fn encapsulate1< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness, state, shared_secret) } } else if libcrux_platform::simd128_support() { encapsulate1_serialized_neon::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -507,10 +562,13 @@ pub(crate) fn encapsulate1< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness, state, shared_secret) } else { portable::encapsulate1_serialized::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -519,6 +577,8 @@ pub(crate) fn encapsulate1< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness, state, shared_secret) } } @@ -568,6 +628,7 @@ pub(crate) fn encapsulate2< #[inline(always)] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, @@ -583,6 +644,8 @@ pub(crate) fn decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &[u8], @@ -595,6 +658,7 @@ pub(crate) fn decapsulate< unsafe { decapsulate_incremental_key_avx2::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -610,12 +674,15 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } } else if libcrux_platform::simd128_support() { decapsulate_incremental_key_neon::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -631,11 +698,14 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } else { portable::decapsulate_incremental_key::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -651,6 +721,8 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } @@ -659,6 +731,7 @@ pub(crate) fn decapsulate< #[inline(always)] pub(crate) fn decapsulate_compressed< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, @@ -674,6 +747,8 @@ pub(crate) fn decapsulate_compressed< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &[u8; SECRET_KEY_SIZE], @@ -686,6 +761,7 @@ pub(crate) fn decapsulate_compressed< unsafe { decapsulate_compressed_key_avx2::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -701,12 +777,15 @@ pub(crate) fn decapsulate_compressed< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } } else if libcrux_platform::simd128_support() { decapsulate_compressed_key_neon::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -722,11 +801,14 @@ pub(crate) fn decapsulate_compressed< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } else { portable::decapsulate_compressed_key::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -742,6 +824,8 @@ pub(crate) fn decapsulate_compressed< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } diff --git a/libcrux-ml-kem/src/ind_cca/incremental/types.rs b/libcrux-ml-kem/src/ind_cca/incremental/types.rs index d09d4a2a0..f5c8cce32 100644 --- a/libcrux-ml-kem/src/ind_cca/incremental/types.rs +++ b/libcrux-ml-kem/src/ind_cca/incremental/types.rs @@ -41,7 +41,9 @@ pub trait IncrementalKeyPair { fn pk2_bytes(&self, bytes: &mut [u8]); } -impl IncrementalKeyPair for MlKemKeyPairUnpacked { +impl IncrementalKeyPair + for MlKemKeyPairUnpacked +{ fn pk1_bytes(&self, bytes: &mut [u8]) -> Result<(), Error> { debug_assert!(bytes.len() >= 64); if bytes.len() < 64 { @@ -55,7 +57,12 @@ impl IncrementalKeyPair for MlKemKeyPairUnpa } fn pk2_bytes(&self, bytes: &mut [u8]) { - serialize_vector(&self.public_key.ind_cpa_public_key.t_as_ntt, bytes); + let mut scratch = Vector::ZERO(); + serialize_vector( + &self.public_key.ind_cpa_public_key.t_as_ntt, + bytes, + &mut scratch, + ); } } @@ -118,7 +125,7 @@ impl PublicKey2 { &self, ) -> [PolynomialRingElement; K] { let mut out = from_fn(|_| PolynomialRingElement::::ZERO()); - deserialize_vector(&self.t_as_ntt, &mut out); + deserialize_vector::(&self.t_as_ntt, &mut out); out } } @@ -132,7 +139,9 @@ pub(crate) mod alloc { pub trait Keys: IncrementalKeyPair { fn as_any(&self) -> &dyn Any; } - impl Keys for MlKemKeyPairUnpacked { + impl Keys + for MlKemKeyPairUnpacked + { fn as_any(&self) -> &dyn Any { self } @@ -220,7 +229,8 @@ impl EncapsState { vec_from_bytes(&bytes[offset..], &mut r_as_ntt); offset += vec_len_bytes::(); - let error2 = PolynomialRingElement::::from_bytes(&bytes[offset..]); + let mut error2 = PolynomialRingElement::::ZERO(); + PolynomialRingElement::::from_bytes(&bytes[offset..], &mut error2); offset += PolynomialRingElement::::num_bytes(); let mut randomness = [0u8; 32]; @@ -243,8 +253,10 @@ impl EncapsState { // === Implementations /// Convert [`MlKemPublicKeyUnpacked`] to a [`PublicKey1`] -impl From<&MlKemPublicKeyUnpacked> for PublicKey1 { - fn from(pk: &MlKemPublicKeyUnpacked) -> Self { +impl + From<&MlKemPublicKeyUnpacked> for PublicKey1 +{ + fn from(pk: &MlKemPublicKeyUnpacked) -> Self { Self { seed: pk.ind_cpa_public_key.seed_for_A, hash: pk.public_key_hash, @@ -253,14 +265,19 @@ impl From<&MlKemPublicKeyUnpacked } /// Convert [`MlKemPublicKeyUnpacked`] to a [`PublicKey2`]. -impl From<&MlKemPublicKeyUnpacked> - for PublicKey2 +impl + From<&MlKemPublicKeyUnpacked> for PublicKey2 { - fn from(pk: &MlKemPublicKeyUnpacked) -> Self { + fn from(pk: &MlKemPublicKeyUnpacked) -> Self { + let mut scratch = Vector::ZERO(); let mut out = Self { t_as_ntt: [0u8; LEN], }; - serialize_vector(&pk.ind_cpa_public_key.t_as_ntt, &mut out.t_as_ntt); + serialize_vector( + &pk.ind_cpa_public_key.t_as_ntt, + &mut out.t_as_ntt, + &mut scratch, + ); out } } @@ -290,17 +307,18 @@ impl From<&[u8; LEN]> for PublicKey2 { } // The key pair struct that we (de)serialize. -pub struct KeyPair { +pub struct KeyPair +{ pk1: PublicKey1, pk2: PublicKey2, sk: MlKemPrivateKeyUnpacked, - matrix: [[PolynomialRingElement; K]; K], + matrix: [PolynomialRingElement; K_SQUARED], } -impl From> - for KeyPair +impl + From> for KeyPair { - fn from(kp: MlKemKeyPairUnpacked) -> Self { + fn from(kp: MlKemKeyPairUnpacked) -> Self { KeyPair { pk1: PublicKey1::from(kp.public_key()), pk2: PublicKey2::from(kp.public_key()), @@ -310,12 +328,12 @@ impl From From> - for MlKemKeyPairUnpacked +impl + From> for MlKemKeyPairUnpacked { - fn from(value: KeyPair) -> Self { + fn from(value: KeyPair) -> Self { let mut t_as_ntt = from_fn(|_| PolynomialRingElement::::ZERO()); - deserialize_vector(&value.pk2.t_as_ntt, &mut t_as_ntt); + deserialize_vector::(&value.pk2.t_as_ntt, &mut t_as_ntt); MlKemKeyPairUnpacked { private_key: value.sk, @@ -339,7 +357,9 @@ fn write(out: &mut [u8], value: &[u8], offset: &mut usize) { *offset = new_offset; } -impl KeyPair { +impl + KeyPair +{ /// Get [`PublicKey1`] as bytes. pub fn pk1_bytes(&self, pk1: &mut [u8]) -> Result<(), Error> { debug_assert!(pk1.len() >= PublicKey1::len()); @@ -400,8 +420,8 @@ impl KeyPair(); } @@ -418,10 +438,15 @@ impl KeyPair KeyPair::ZERO(); K]; K]; - for i in 0..matrix.len() { - vec_from_bytes(&key[offset..], &mut matrix[i]); + let mut matrix = [PolynomialRingElement::::ZERO(); K_SQUARED]; + for i in 0..K { + vec_from_bytes(&key[offset..], &mut matrix[i * K..(i + 1) * K]); offset += vec_len_bytes::(); } diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs index 3ec8e63c6..8f9811af3 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs @@ -8,6 +8,7 @@ macro_rules! instantiate { /// Portable generate key pair. #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -15,21 +16,25 @@ macro_rules! instantiate { $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { crate::ind_cca::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, $vector, $hash, crate::variant::MlKem, @@ -39,21 +44,25 @@ macro_rules! instantiate { #[cfg(feature = "kyber")] pub(crate) fn kyber_generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { crate::ind_cca::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, $vector, $hash, crate::variant::Kyber, @@ -113,6 +122,7 @@ macro_rules! instantiate { #[cfg(feature = "kyber")] pub(crate) fn kyber_encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -125,12 +135,15 @@ macro_rules! instantiate { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { crate::ind_cca::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -143,6 +156,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, $vector, $hash, crate::variant::Kyber, @@ -150,6 +165,7 @@ macro_rules! instantiate { } #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ @@ -164,6 +180,7 @@ macro_rules! instantiate { $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -176,12 +193,15 @@ macro_rules! instantiate { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { crate::ind_cca::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -194,6 +214,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, $vector, $hash, crate::variant::MlKem, @@ -204,6 +226,7 @@ macro_rules! instantiate { #[cfg(feature = "kyber")] pub fn kyber_decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -218,6 +241,8 @@ macro_rules! instantiate { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -225,6 +250,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { crate::ind_cca::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -239,6 +265,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, $vector, $hash, @@ -248,6 +276,7 @@ macro_rules! instantiate { /// Portable decapsulate #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -265,6 +294,7 @@ macro_rules! instantiate { $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))] pub fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -279,6 +309,8 @@ macro_rules! instantiate { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -286,6 +318,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { crate::ind_cca::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -300,6 +333,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, $vector, $hash, @@ -311,28 +346,31 @@ macro_rules! instantiate { pub(crate) mod unpacked { use super::*; - pub(crate) type MlKemKeyPairUnpacked = - crate::ind_cca::unpacked::MlKemKeyPairUnpacked; - pub(crate) type MlKemPublicKeyUnpacked = - crate::ind_cca::unpacked::MlKemPublicKeyUnpacked; + pub(crate) type MlKemKeyPairUnpacked = + crate::ind_cca::unpacked::MlKemKeyPairUnpacked; + pub(crate) type MlKemPublicKeyUnpacked = + crate::ind_cca::unpacked::MlKemPublicKeyUnpacked; /// Get the unpacked public key. #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#) )] #[inline(always)] pub(crate) fn unpack_public_key< const K: usize, + const K_SQUARED: usize, const T_AS_NTT_ENCODED_SIZE: usize, const PUBLIC_KEY_SIZE: usize, >( public_key: &MlKemPublicKey, - unpacked_public_key: &mut MlKemPublicKeyUnpacked, + unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { crate::ind_cca::unpacked::unpack_public_key::< K, + K_SQUARED, T_AS_NTT_ENCODED_SIZE, PUBLIC_KEY_SIZE, $hash, @@ -344,22 +382,25 @@ macro_rules! instantiate { #[inline(always)] #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))] pub(crate) fn keypair_from_private_key< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, >( private_key: &MlKemPrivateKey, - key_pair: &mut MlKemKeyPairUnpacked, + key_pair: &mut MlKemKeyPairUnpacked, ) { crate::ind_cca::unpacked::keys_from_private_key::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -370,6 +411,7 @@ macro_rules! instantiate { /// Generate a key pair #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -378,22 +420,26 @@ macro_rules! instantiate { #[inline(always)] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], - out: &mut MlKemKeyPairUnpacked, + out: &mut MlKemKeyPairUnpacked, ) { crate::ind_cca::unpacked::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, $vector, $hash, crate::variant::MlKem, @@ -402,6 +448,7 @@ macro_rules! instantiate { /// Unpacked encapsulate #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ @@ -417,6 +464,7 @@ macro_rules! instantiate { #[inline(always)] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -429,12 +477,15 @@ macro_rules! instantiate { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( - public_key: &MlKemPublicKeyUnpacked, + public_key: &MlKemPublicKeyUnpacked, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { crate::ind_cca::unpacked::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -447,6 +498,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, $vector, $hash, >(public_key, randomness) @@ -454,6 +507,7 @@ macro_rules! instantiate { /// Unpacked decapsulate #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -472,6 +526,7 @@ macro_rules! instantiate { #[inline(always)] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -486,13 +541,16 @@ macro_rules! instantiate { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( - key_pair: &MlKemKeyPairUnpacked, + key_pair: &MlKemKeyPairUnpacked, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { crate::ind_cca::unpacked::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -507,6 +565,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, $vector, $hash, @@ -518,7 +578,7 @@ macro_rules! instantiate { } // Portable generic implementations. -instantiate! {portable, crate::vector::portable::PortableVector, crate::hash_functions::portable::PortableHash} +instantiate! {portable, crate::vector::portable::PortableVector, crate::hash_functions::portable::PortableHash} // AVX2 generic implementation. #[cfg(feature = "simd256")] diff --git a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs index 4a245a0ab..2038d42fe 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs @@ -7,6 +7,7 @@ use crate::{ /// Portable generate key pair. #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -14,21 +15,25 @@ use crate::{ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))] unsafe fn generate_keypair_avx2< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { crate::ind_cca::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, crate::variant::MlKem, @@ -37,6 +42,7 @@ unsafe fn generate_keypair_avx2< #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -44,22 +50,26 @@ unsafe fn generate_keypair_avx2< $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { unsafe { generate_keypair_avx2::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness) } } @@ -69,21 +79,25 @@ pub(crate) fn generate_keypair< #[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_generate_keypair_avx2< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { crate::ind_cca::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, crate::variant::Kyber, @@ -94,22 +108,26 @@ unsafe fn kyber_generate_keypair_avx2< #[cfg(feature = "kyber")] pub(crate) fn kyber_generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { unsafe { kyber_generate_keypair_avx2::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness) } } @@ -192,6 +210,7 @@ pub(crate) fn validate_private_key_only( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { crate::ind_cca::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -222,6 +244,8 @@ unsafe fn kyber_encapsulate_avx2< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, crate::variant::Kyber, @@ -232,6 +256,7 @@ unsafe fn kyber_encapsulate_avx2< #[cfg(feature = "kyber")] pub(crate) fn kyber_encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -244,6 +269,8 @@ pub(crate) fn kyber_encapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], @@ -251,6 +278,7 @@ pub(crate) fn kyber_encapsulate< unsafe { kyber_encapsulate_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -263,6 +291,8 @@ pub(crate) fn kyber_encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, randomness) } } @@ -270,6 +300,7 @@ pub(crate) fn kyber_encapsulate< #[allow(unsafe_code)] #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ @@ -284,6 +315,7 @@ pub(crate) fn kyber_encapsulate< $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))] unsafe fn encapsulate_avx2< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -296,12 +328,15 @@ unsafe fn encapsulate_avx2< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { crate::ind_cca::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -314,6 +349,8 @@ unsafe fn encapsulate_avx2< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, crate::variant::MlKem, @@ -322,6 +359,7 @@ unsafe fn encapsulate_avx2< #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ @@ -336,6 +374,7 @@ unsafe fn encapsulate_avx2< $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -348,6 +387,8 @@ pub(crate) fn encapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], @@ -355,6 +396,7 @@ pub(crate) fn encapsulate< unsafe { encapsulate_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -367,6 +409,8 @@ pub(crate) fn encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, randomness) } } @@ -376,6 +420,7 @@ pub(crate) fn encapsulate< #[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_decapsulate_avx2< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -390,6 +435,8 @@ unsafe fn kyber_decapsulate_avx2< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -397,6 +444,7 @@ unsafe fn kyber_decapsulate_avx2< ) -> MlKemSharedSecret { crate::ind_cca::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -411,6 +459,8 @@ unsafe fn kyber_decapsulate_avx2< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, @@ -422,6 +472,7 @@ unsafe fn kyber_decapsulate_avx2< #[cfg(feature = "kyber")] pub fn kyber_decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -436,6 +487,8 @@ pub fn kyber_decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -444,6 +497,7 @@ pub fn kyber_decapsulate< unsafe { kyber_decapsulate_avx2::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -458,6 +512,8 @@ pub fn kyber_decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -466,6 +522,7 @@ pub fn kyber_decapsulate< #[allow(unsafe_code)] #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -483,6 +540,7 @@ pub fn kyber_decapsulate< $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))] unsafe fn decapsulate_avx2< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -497,6 +555,8 @@ unsafe fn decapsulate_avx2< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -504,6 +564,7 @@ unsafe fn decapsulate_avx2< ) -> MlKemSharedSecret { crate::ind_cca::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -518,6 +579,8 @@ unsafe fn decapsulate_avx2< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, @@ -527,6 +590,7 @@ unsafe fn decapsulate_avx2< #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -544,6 +608,7 @@ unsafe fn decapsulate_avx2< $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))] pub fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -558,6 +623,8 @@ pub fn decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -566,6 +633,7 @@ pub fn decapsulate< unsafe { decapsulate_avx2::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -580,6 +648,8 @@ pub fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -589,29 +659,36 @@ pub fn decapsulate< pub(crate) mod unpacked { use super::*; - pub(crate) type MlKemKeyPairUnpacked = - crate::ind_cca::unpacked::MlKemKeyPairUnpacked; - pub(crate) type MlKemPublicKeyUnpacked = - crate::ind_cca::unpacked::MlKemPublicKeyUnpacked; + pub(crate) type MlKemKeyPairUnpacked = + crate::ind_cca::unpacked::MlKemKeyPairUnpacked; + pub(crate) type MlKemPublicKeyUnpacked = + crate::ind_cca::unpacked::MlKemPublicKeyUnpacked< + K, + K_SQUARED, + crate::vector::SIMD256Vector, + >; /// Get the unpacked public key. #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#) )] unsafe fn unpack_public_key_avx2< const K: usize, + const K_SQUARED: usize, const T_AS_NTT_ENCODED_SIZE: usize, const PUBLIC_KEY_SIZE: usize, >( public_key: &MlKemPublicKey, - unpacked_public_key: &mut MlKemPublicKeyUnpacked, + unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { crate::ind_cca::unpacked::unpack_public_key::< K, + K_SQUARED, T_AS_NTT_ENCODED_SIZE, PUBLIC_KEY_SIZE, crate::hash_functions::avx2::Simd256Hash, @@ -623,19 +700,21 @@ pub(crate) mod unpacked { #[allow(unsafe_code)] #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K"#) )] pub(crate) fn unpack_public_key< const K: usize, + const K_SQUARED: usize, const T_AS_NTT_ENCODED_SIZE: usize, const PUBLIC_KEY_SIZE: usize, >( public_key: &MlKemPublicKey, - unpacked_public_key: &mut MlKemPublicKeyUnpacked, + unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { unsafe { - unpack_public_key_avx2::( + unpack_public_key_avx2::( public_key, unpacked_public_key, ) @@ -646,22 +725,25 @@ pub(crate) mod unpacked { #[inline(always)] #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K"#))] pub(crate) fn keypair_from_private_key< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, >( private_key: &MlKemPrivateKey, - key_pair: &mut MlKemKeyPairUnpacked, + key_pair: &mut MlKemKeyPairUnpacked, ) { crate::ind_cca::unpacked::keys_from_private_key::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -673,27 +755,32 @@ pub(crate) mod unpacked { #[allow(unsafe_code)] #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))] unsafe fn generate_keypair_avx2< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], - out: &mut MlKemKeyPairUnpacked, + out: &mut MlKemKeyPairUnpacked, ) { crate::ind_cca::unpacked::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, crate::variant::MlKem, @@ -703,28 +790,33 @@ pub(crate) mod unpacked { /// Generate a key pair #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], - out: &mut MlKemKeyPairUnpacked, + out: &mut MlKemKeyPairUnpacked, ) { unsafe { generate_keypair_avx2::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, out) } } @@ -732,6 +824,7 @@ pub(crate) mod unpacked { #[allow(unsafe_code)] #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -744,6 +837,7 @@ pub(crate) mod unpacked { $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))] unsafe fn encapsulate_avx2< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -756,12 +850,15 @@ pub(crate) mod unpacked { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( - public_key: &MlKemPublicKeyUnpacked, + public_key: &MlKemPublicKeyUnpacked, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { crate::ind_cca::unpacked::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -774,6 +871,8 @@ pub(crate) mod unpacked { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, >(public_key, randomness) @@ -782,6 +881,7 @@ pub(crate) mod unpacked { /// Unpacked encapsulate #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -794,6 +894,7 @@ pub(crate) mod unpacked { $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"#))] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -806,13 +907,16 @@ pub(crate) mod unpacked { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( - public_key: &MlKemPublicKeyUnpacked, + public_key: &MlKemPublicKeyUnpacked, randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { unsafe { encapsulate_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -825,6 +929,8 @@ pub(crate) mod unpacked { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, randomness) } } @@ -832,6 +938,7 @@ pub(crate) mod unpacked { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -845,6 +952,7 @@ pub(crate) mod unpacked { $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))] unsafe fn decapsulate_avx2< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -859,13 +967,16 @@ pub(crate) mod unpacked { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( - key_pair: &MlKemKeyPairUnpacked, + key_pair: &MlKemKeyPairUnpacked, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { crate::ind_cca::unpacked::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -880,6 +991,8 @@ pub(crate) mod unpacked { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, crate::vector::SIMD256Vector, crate::hash_functions::avx2::Simd256Hash, @@ -889,6 +1002,7 @@ pub(crate) mod unpacked { /// Unpacked decapsulate #[allow(unsafe_code)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -902,6 +1016,7 @@ pub(crate) mod unpacked { $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -916,14 +1031,17 @@ pub(crate) mod unpacked { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( - key_pair: &MlKemKeyPairUnpacked, + key_pair: &MlKemKeyPairUnpacked, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { unsafe { decapsulate_avx2::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -938,6 +1056,8 @@ pub(crate) mod unpacked { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(key_pair, ciphertext) } diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs index a8b6692f5..73d854bd3 100644 --- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs +++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs @@ -82,46 +82,55 @@ pub(crate) fn validate_private_key< #[cfg(feature = "kyber")] pub(crate) fn kyber_generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( - randomness: [u8; KEY_GENERATION_SEED_SIZE], + randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { // Runtime feature detection. if libcrux_platform::simd256_support() { kyber_generate_keypair_avx2::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, - >(&randomness) + PRF_OUTPUT_SIZE1, + >(randomness) } else if libcrux_platform::simd128_support() { kyber_generate_keypair_neon::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, - >(&randomness) + PRF_OUTPUT_SIZE1, + >(randomness) } else { instantiations::portable::kyber_generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, - >(&randomness) + PRF_OUTPUT_SIZE1, + >(randomness) } } #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -129,11 +138,13 @@ pub(crate) fn kyber_generate_keypair< $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"#))] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: &[u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { @@ -141,29 +152,35 @@ pub(crate) fn generate_keypair< if libcrux_platform::simd256_support() { generate_keypair_avx2::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness) } else if libcrux_platform::simd128_support() { generate_keypair_neon::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness) } else { instantiations::portable::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness) } } @@ -171,6 +188,7 @@ pub(crate) fn generate_keypair< #[cfg(feature = "kyber")] pub(crate) fn kyber_encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -183,13 +201,16 @@ pub(crate) fn kyber_encapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, - randomness: [u8; SHARED_SECRET_SIZE], + randomness: &[u8; SHARED_SECRET_SIZE], ) -> (MlKemCiphertext, MlKemSharedSecret) { if libcrux_platform::simd256_support() { kyber_encapsulate_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -202,10 +223,13 @@ pub(crate) fn kyber_encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, - >(public_key, &randomness) + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, + >(public_key, randomness) } else if libcrux_platform::simd128_support() { kyber_encapsulate_neon::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -218,10 +242,13 @@ pub(crate) fn kyber_encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, - >(public_key, &randomness) + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, + >(public_key, randomness) } else { instantiations::portable::kyber_encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -234,11 +261,14 @@ pub(crate) fn kyber_encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, - >(public_key, &randomness) + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, + >(public_key, randomness) } } #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ @@ -253,6 +283,7 @@ pub(crate) fn kyber_encapsulate< $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"#))] pub(crate) fn encapsulate< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, @@ -265,6 +296,8 @@ pub(crate) fn encapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key: &MlKemPublicKey, randomness: &[u8; SHARED_SECRET_SIZE], @@ -272,6 +305,7 @@ pub(crate) fn encapsulate< if libcrux_platform::simd256_support() { encapsulate_avx2::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -284,10 +318,13 @@ pub(crate) fn encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, randomness) } else if libcrux_platform::simd128_support() { encapsulate_neon::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -300,10 +337,13 @@ pub(crate) fn encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, randomness) } else { instantiations::portable::encapsulate::< K, + K_SQUARED, CIPHERTEXT_SIZE, PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -316,6 +356,8 @@ pub(crate) fn encapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, randomness) } } @@ -323,6 +365,7 @@ pub(crate) fn encapsulate< #[cfg(feature = "kyber")] pub(crate) fn kyber_decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -337,6 +380,8 @@ pub(crate) fn kyber_decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -345,6 +390,7 @@ pub(crate) fn kyber_decapsulate< if libcrux_platform::simd256_support() { kyber_decapsulate_avx2::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -359,11 +405,14 @@ pub(crate) fn kyber_decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } else if libcrux_platform::simd128_support() { kyber_decapsulate_neon::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -378,11 +427,14 @@ pub(crate) fn kyber_decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } else { instantiations::portable::kyber_decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -397,12 +449,15 @@ pub(crate) fn kyber_decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } } #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED == v $K * v $K /\ $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\ $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ @@ -420,6 +475,7 @@ pub(crate) fn kyber_decapsulate< $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"#))] pub(crate) fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -434,6 +490,8 @@ pub(crate) fn decapsulate< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &MlKemPrivateKey, @@ -442,6 +500,7 @@ pub(crate) fn decapsulate< if libcrux_platform::simd256_support() { decapsulate_avx2::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -456,11 +515,14 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } else if libcrux_platform::simd128_support() { decapsulate_neon::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -475,11 +537,14 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } else { instantiations::portable::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -494,6 +559,8 @@ pub(crate) fn decapsulate< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs index cd7f3a50a..80d095fe9 100644 --- a/libcrux-ml-kem/src/ind_cpa.rs +++ b/libcrux-ml-kem/src/ind_cpa.rs @@ -36,6 +36,7 @@ pub(crate) mod unpacked { impl Default for IndCpaPrivateKeyUnpacked { fn default() -> Self { Self { + // XXX: This should be initialized using `core::array::from_fn`, once we no longer have `Vector: Copy`. secret_as_ntt: [PolynomialRingElement::::ZERO(); K], } } @@ -43,18 +44,25 @@ pub(crate) mod unpacked { /// An unpacked ML-KEM IND-CPA Public Key #[derive(Clone)] - pub(crate) struct IndCpaPublicKeyUnpacked { + pub(crate) struct IndCpaPublicKeyUnpacked< + const K: usize, + const K_SQUARED: usize, + Vector: Operations, + > { pub(crate) t_as_ntt: [PolynomialRingElement; K], pub(crate) seed_for_A: [u8; 32], - pub(crate) A: [[PolynomialRingElement; K]; K], + pub(crate) A: [PolynomialRingElement; K_SQUARED], } - impl Default for IndCpaPublicKeyUnpacked { + impl Default + for IndCpaPublicKeyUnpacked + { fn default() -> Self { Self { + // XXX: These should be initialized using `core::array::from_fn`, once we no longer have `Vector: Copy`. t_as_ntt: [PolynomialRingElement::::ZERO(); K], seed_for_A: [0u8; 32], - A: [[PolynomialRingElement::::ZERO(); K]; K], + A: [PolynomialRingElement::::ZERO(); K_SQUARED], } } } @@ -68,36 +76,7 @@ use unpacked::*; length $seed_for_a == sz 32 /\ (forall (i:nat). i < v $K ==> Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 (Seq.index $t_as_ntt i))"#))] -#[hax_lib::ensures(|res| - fstar!(r#"$res == Seq.append (Spec.MLKEM.vector_encode_12 #$K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt)) - $seed_for_a)"#) -)] -pub(crate) fn serialize_public_key< - const K: usize, - const PUBLIC_KEY_SIZE: usize, - Vector: Operations, ->( - t_as_ntt: &[PolynomialRingElement; K], - seed_for_a: &[u8], -) -> [u8; PUBLIC_KEY_SIZE] { - let mut public_key_serialized = [0u8; PUBLIC_KEY_SIZE]; - serialize_public_key_mut::( - t_as_ntt, - seed_for_a, - &mut public_key_serialized, - ); - public_key_serialized -} - -/// Concatenate `t` and `ρ` into the public key. -#[inline(always)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ - length $seed_for_a == sz 32 /\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 (Seq.index $t_as_ntt i))"#))] -#[hax_lib::ensures(|res| +#[hax_lib::ensures(|_| fstar!(r#"${serialized}_future == Seq.append (Spec.MLKEM.vector_encode_12 #$K (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt)) @@ -110,11 +89,13 @@ pub(crate) fn serialize_public_key_mut< >( t_as_ntt: &[PolynomialRingElement; K], seed_for_a: &[u8], - serialized: &mut [u8; PUBLIC_KEY_SIZE], + serialized: &mut [u8], + scratch: &mut Vector, ) { serialize_vector::( t_as_ntt, &mut serialized[0..ranked_bytes_per_ring_element(K)], + scratch, ); serialized[ranked_bytes_per_ring_element(K)..].copy_from_slice(seed_for_a); @@ -139,6 +120,7 @@ pub(crate) fn serialize_public_key_mut< pub(crate) fn serialize_vector( key: &[PolynomialRingElement; K], out: &mut [u8], + scratch: &mut Vector, ) { hax_lib::fstar!(r#"assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)"#); @@ -155,8 +137,8 @@ pub(crate) fn serialize_vector( ) }); - out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT] - .copy_from_slice(&serialize_uncompressed_ring_element(&re)); + + serialize_uncompressed_ring_element(&re, scratch, &mut out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT]); hax_lib::fstar!(r#" let lemma_aux (j: nat{ j < v $i }) : Lemma @@ -248,27 +230,32 @@ pub(crate) fn serialize_vector( $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ v $domain_separator < 2 * v $K /\ + Seq.length ${error_1} == v $K /\ range (v $domain_separator + v $K) u8_inttype"#))] -#[hax_lib::ensures(|ds| +#[hax_lib::ensures(|ds| { + let error_1_future = future(error_1); fstar!(r#"v $ds == v $domain_separator + v $K /\ + Seq.length ${error_1_future} == v $K /\ (forall i. i < v $K ==> - Libcrux_ml_kem.Polynomial.is_bounded_poly 7 (Seq.index ${error_1} i))/\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $error_1 == - Spec.MLKEM.sample_vector_cbd2 #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))"#) + Libcrux_ml_kem.Polynomial.is_bounded_poly 7 (Seq.index ${error_1_future} i))/\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${error_1_future} == + Spec.MLKEM.sample_vector_cbd2 #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))"#)} )] fn sample_ring_element_cbd< const K: usize, const ETA2_RANDOMNESS_SIZE: usize, const ETA2: usize, + const PRF_OUTPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( prf_input: &[u8; 33], mut domain_separator: u8, - error_1: &mut [PolynomialRingElement; K], + error_1: &mut [PolynomialRingElement], + sample_buffer: &mut [i16; 256], ) -> u8 { - let mut prf_inputs = [prf_input.clone(); K]; - + let mut prf_inputs = [*prf_input; K]; + // See https://github.com/hacspec/hax/issues/1167 #[cfg(hax)] let _domain_separator_init = domain_separator; @@ -276,7 +263,12 @@ fn sample_ring_element_cbd< hax_lib::fstar!( "sample_ring_element_cbd_helper_1 $K $prf_inputs $prf_input $_domain_separator_init" ); - let prf_outputs: [[u8; ETA2_RANDOMNESS_SIZE]; K] = Hasher::PRFxN(&prf_inputs); + let mut prf_outputs = [0u8; PRF_OUTPUT_SIZE]; + Hasher::PRFxN( + prf_inputs.as_slice(), + &mut prf_outputs, + ETA2_RANDOMNESS_SIZE, + ); for i in 0..K { hax_lib::loop_invariant!(|i: usize| { fstar!( @@ -287,13 +279,14 @@ fn sample_ring_element_cbd< Spec.MLKEM.sample_poly_cbd $ETA2 ${prf_outputs}.[ sz j ])"# ) }); - error_1[i] = sample_from_binomial_distribution::(&prf_outputs[i]); + let randomness = &prf_outputs[i * ETA2_RANDOMNESS_SIZE..(i + 1) * ETA2_RANDOMNESS_SIZE]; + sample_from_binomial_distribution::(randomness, sample_buffer); + PolynomialRingElement::from_i16_array(sample_buffer, &mut error_1[i]); } hax_lib::fstar!( "sample_ring_element_cbd_helper_2 $K $ETA2 $ETA2_RANDOMNESS_SIZE #$:Vector error_1_ $prf_input $_domain_separator_init" ); - domain_separator } @@ -360,12 +353,14 @@ fn sample_ring_element_cbd< ) )] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + Seq.length ${re_as_ntt} == v $K /\ $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA == Spec.MLKEM.v_ETA1 $K /\ v $domain_separator < 2 * v $K /\ range (v $domain_separator + v $K) u8_inttype"#))] #[hax_lib::ensures(|ds| fstar!(r#"v $ds == v $domain_separator + v $K /\ + Seq.length ${re_as_ntt}_future == v $K /\ Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re_as_ntt}_future == Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator)) /\ (forall (i: nat). i < v $K ==> @@ -375,14 +370,16 @@ fn sample_vector_cbd_then_ntt< const K: usize, const ETA: usize, const ETA_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( - re_as_ntt: &mut [PolynomialRingElement; K], + re_as_ntt: &mut [PolynomialRingElement], prf_input: &[u8; 33], mut domain_separator: u8, + scratch: &mut Vector, ) -> u8 { - let mut prf_inputs = [prf_input.clone(); K]; + let mut prf_inputs = [*prf_input; K]; #[cfg(hax)] let _domain_separator_init = domain_separator; @@ -391,7 +388,8 @@ fn sample_vector_cbd_then_ntt< hax_lib::fstar!( "sample_vector_cbd_then_ntt_helper_1 $K $prf_inputs $prf_input $_domain_separator_init" ); - let prf_outputs: [[u8; ETA_RANDOMNESS_SIZE]; K] = Hasher::PRFxN(&prf_inputs); + let mut prf_outputs = [0u8; PRF_OUTPUT_SIZE]; + Hasher::PRFxN(&prf_inputs, &mut prf_outputs, ETA_RANDOMNESS_SIZE); for i in 0..K { hax_lib::loop_invariant!(|i: usize| { fstar!( @@ -401,8 +399,11 @@ fn sample_vector_cbd_then_ntt< Libcrux_ml_kem.Polynomial.is_bounded_poly #$:Vector 3328 re_as_ntt.[ sz j ]"# ) }); - re_as_ntt[i] = sample_from_binomial_distribution::(&prf_outputs[i]); - ntt_binomially_sampled_ring_element(&mut re_as_ntt[i]); + let randomness = &prf_outputs[i * ETA_RANDOMNESS_SIZE..(i + 1) * ETA_RANDOMNESS_SIZE]; + let mut sample_buffer = [0i16; 256]; + sample_from_binomial_distribution::(randomness, &mut sample_buffer); + PolynomialRingElement::from_i16_array(&sample_buffer, &mut re_as_ntt[i]); + ntt_binomially_sampled_ring_element(&mut re_as_ntt[i], scratch); } hax_lib::fstar!( "sample_vector_cbd_then_ntt_helper_2 @@ -453,6 +454,7 @@ fn sample_vector_cbd_then_ntt< #[hax_lib::fstar::before(r#"[@ "opaque_to_smt"]"#)] #[hax_lib::fstar::options("--z3rlimit 500 --ext context_pruning")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED = v $K * v $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"#))] @@ -472,18 +474,22 @@ fn sample_vector_cbd_then_ntt< #[inline(always)] pub(crate) fn generate_keypair_unpacked< const K: usize, + const K_SQUARED: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, Scheme: Variant, >( key_generation_seed: &[u8], private_key: &mut IndCpaPrivateKeyUnpacked, - public_key: &mut IndCpaPublicKeyUnpacked, + public_key: &mut IndCpaPublicKeyUnpacked, + scratch: &mut PolynomialRingElement, ) { // (ρ,σ) := G(d) for Kyber, (ρ,σ) := G(d || K) for ML-KEM - let hashed = Scheme::cpa_keygen_seed::(key_generation_seed); + let mut hashed = [0u8; 64]; + Scheme::cpa_keygen_seed::(key_generation_seed, &mut hashed); let (seed_for_A, seed_for_secret_and_error) = hashed.split_at(32); hax_lib::fstar!( @@ -498,18 +504,32 @@ pub(crate) fn generate_keypair_unpacked< ); let prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error); hax_lib::fstar!("eq_intro $seed_for_secret_and_error (Seq.slice $prf_input 0 32)"); - let domain_separator = - sample_vector_cbd_then_ntt::( - &mut private_key.secret_as_ntt, - &prf_input, - 0, - ); - - let mut error_as_ntt = from_fn(|_i| PolynomialRingElement::::ZERO()); - let _ = sample_vector_cbd_then_ntt::( + let domain_separator = sample_vector_cbd_then_ntt::< + K, + ETA1, + ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + Vector, + Hasher, + >( + &mut private_key.secret_as_ntt, + &prf_input, + 0, + &mut scratch.coefficients[0], + ); + let mut error_as_ntt = from_fn(|_| PolynomialRingElement::::ZERO()); + let _ = sample_vector_cbd_then_ntt::< + K, + ETA1, + ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + Vector, + Hasher, + >( &mut error_as_ntt, &prf_input, domain_separator, + &mut scratch.coefficients[0], ); // tˆ := Aˆ ◦ sˆ + eˆ @@ -518,6 +538,7 @@ pub(crate) fn generate_keypair_unpacked< &public_key.A, &private_key.secret_as_ntt, &error_as_ntt, + scratch, ); public_key.seed_for_A = seed_for_A.try_into().unwrap(); @@ -548,58 +569,83 @@ pub(crate) fn generate_keypair_unpacked< $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ - length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"#))] -#[hax_lib::ensures(|result| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in - valid ==> $result == expected"#))] + length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE /\ + length $serialized_ind_cpa_private_key == $PRIVATE_KEY_SIZE /\ + length $serialized_public_key == $PUBLIC_KEY_SIZE"#))] +// XXX: Spec changes required below? +// #[hax_lib::ensures(|_| fstar!(r#"(let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in +// valid ==> $result == expected)"#))] #[inline(always)] pub(crate) fn generate_keypair< const K: usize, + const K_SQUARED: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, Scheme: Variant, >( key_generation_seed: &[u8], -) -> ([u8; PRIVATE_KEY_SIZE], [u8; PUBLIC_KEY_SIZE]) { + serialized_ind_cpa_private_key: &mut [u8], + serialized_public_key: &mut [u8], + scratch: &mut PolynomialRingElement, +) { + // XXX: Can Eurydice handle these when passind in as &mut from outside? let mut private_key = IndCpaPrivateKeyUnpacked::default(); let mut public_key = IndCpaPublicKeyUnpacked::default(); - generate_keypair_unpacked::( + generate_keypair_unpacked::< + K, + K_SQUARED, + ETA1, + ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + Vector, + Hasher, + Scheme, + >( key_generation_seed, &mut private_key, &mut public_key, + scratch, ); - serialize_unpacked_secret_key::( + serialize_unpacked_secret_key::( &public_key, &private_key, + serialized_ind_cpa_private_key, + serialized_public_key, + &mut scratch.coefficients[0], ) } /// Serialize the secret key from the unpacked key pair generation. pub(crate) fn serialize_unpacked_secret_key< const K: usize, + const K_SQUARED: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, Vector: Operations, >( - public_key: &IndCpaPublicKeyUnpacked, + public_key: &IndCpaPublicKeyUnpacked, private_key: &IndCpaPrivateKeyUnpacked, -) -> ([u8; PRIVATE_KEY_SIZE], [u8; PUBLIC_KEY_SIZE]) { + serialized_private_key: &mut [u8], + serialized_public_key: &mut [u8], + scratch: &mut Vector, +) { // pk := (Encode_12(tˆ mod^{+}q) || ρ) - let public_key_serialized = serialize_public_key::( + serialize_public_key_mut::( &public_key.t_as_ntt, &public_key.seed_for_A, + serialized_public_key, + scratch, ); // sk := Encode_12(sˆ mod^{+}q) - let mut secret_key_serialized = [0u8; PRIVATE_KEY_SIZE]; - serialize_vector(&private_key.secret_as_ntt, &mut secret_key_serialized); - - (secret_key_serialized, public_key_serialized) + serialize_vector(&private_key.secret_as_ntt, serialized_private_key, scratch); } /// Call [`compress_then_serialize_ring_element_u`] on each ring element. @@ -625,6 +671,7 @@ fn compress_then_serialize_u< >( input: [PolynomialRingElement; K], out: &mut [u8], + scratch: &mut Vector, ) { hax_lib::fstar!( "assert (v (sz 32 *! $COMPRESSION_FACTOR) == 32 * v $COMPRESSION_FACTOR); @@ -645,9 +692,9 @@ fn compress_then_serialize_u< ((Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR) (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector (Seq.index $input j)))))"#); - out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)].copy_from_slice( - &compress_then_serialize_ring_element_u::(&re), - ); + + compress_then_serialize_ring_element_u::(&re, &mut out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)],scratch); + hax_lib::fstar!(r#"let lemma_aux (j: nat{ j < v $i }) : Lemma (Seq.slice out (j * (v $OUT_LEN / v $K)) (((j + 1)) * (v $OUT_LEN / v $K)) == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR) @@ -709,6 +756,7 @@ fn compress_then_serialize_u< #[allow(non_snake_case)] #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED = v $K * v $K /\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\ @@ -719,15 +767,19 @@ fn compress_then_serialize_u< $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\ $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ - length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"#))] -#[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness + length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\ + length $ciphertext == $CIPHERTEXT_SIZE /\ + length $r_as_ntt == $K"#))] +#[hax_lib::ensures(|_| + fstar!(r#"${ciphertext}_future == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key.t_as_ntt}) - (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key.A})"#) + (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${public_key.A}) /\ + length ${ciphertext}_future == length $ciphertext"#) )] #[inline(always)] pub(crate) fn encrypt_unpacked< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, const C1_LEN: usize, @@ -739,17 +791,22 @@ pub(crate) fn encrypt_unpacked< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( - public_key: &IndCpaPublicKeyUnpacked, + public_key: &IndCpaPublicKeyUnpacked, message: &[u8; SHARED_SECRET_SIZE], randomness: &[u8], -) -> [u8; CIPHERTEXT_SIZE] { - let mut ciphertext = [0u8; CIPHERTEXT_SIZE]; - - let (r_as_ntt, error_2) = encrypt_c1::< + ciphertext: &mut [u8], + r_as_ntt: &mut [PolynomialRingElement], + error_2: &mut PolynomialRingElement, + scratch: &mut PolynomialRingElement, +) { + encrypt_c1::< K, + K_SQUARED, C1_LEN, U_COMPRESSION_FACTOR, BLOCK_LEN, @@ -757,24 +814,33 @@ pub(crate) fn encrypt_unpacked< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, - >(randomness, &public_key.A, &mut ciphertext[0..C1_LEN]); + >( + randomness, + &public_key.A, + &mut ciphertext[0..C1_LEN], + r_as_ntt, + error_2, + scratch, + ); encrypt_c2::( &public_key.t_as_ntt, - &r_as_ntt, - &error_2, + r_as_ntt, + error_2, message, &mut ciphertext[C1_LEN..], + scratch, ); - - ciphertext } #[inline(always)] pub(crate) fn encrypt_c1< const K: usize, + const K_SQUARED: usize, const C1_LEN: usize, const U_COMPRESSION_FACTOR: usize, const BLOCK_LEN: usize, @@ -782,15 +848,17 @@ pub(crate) fn encrypt_c1< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( randomness: &[u8], - matrix: &[[PolynomialRingElement; K]; K], + matrix: &[PolynomialRingElement; K_SQUARED], ciphertext: &mut [u8], // C1_LEN -) -> ( - [PolynomialRingElement; K], - PolynomialRingElement, + r_as_ntt: &mut [PolynomialRingElement], + error_2: &mut PolynomialRingElement, + scratch: &mut PolynomialRingElement, ) { // for i from 0 to k−1 do // r[i] := CBD{η1}(PRF(r, N)) @@ -798,14 +866,14 @@ pub(crate) fn encrypt_c1< // end for // rˆ := NTT(r) let mut prf_input: [u8; 33] = into_padded_array(randomness); - - let mut r_as_ntt = from_fn(|_i| PolynomialRingElement::::ZERO()); - let domain_separator = - sample_vector_cbd_then_ntt::( - &mut r_as_ntt, - &prf_input, - 0, - ); + let domain_separator = sample_vector_cbd_then_ntt::< + K, + ETA1, + ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + Vector, + Hasher, + >(r_as_ntt, &prf_input, 0, &mut scratch.coefficients[0]); hax_lib::fstar!( "eq_intro $randomness (Seq.slice $prf_input 0 32); assert (v $domain_separator == v $K)" @@ -815,12 +883,16 @@ pub(crate) fn encrypt_c1< // e1[i] := CBD_{η2}(PRF(r,N)) // N := N + 1 // end for - let mut error_1 = from_fn(|_i| PolynomialRingElement::::ZERO()); - let domain_separator = sample_ring_element_cbd::( - &prf_input, - domain_separator, - &mut error_1, - ); + let mut error_1: [PolynomialRingElement; K] = + from_fn(|_i| PolynomialRingElement::::ZERO()); + let mut sampling_buffer = [0i16; 256]; + let domain_separator = + sample_ring_element_cbd::( + &prf_input, + domain_separator, + &mut error_1, + &mut sampling_buffer, + ); // e_2 := CBD{η2}(PRF(r, N)) prf_input[32] = domain_separator; @@ -828,16 +900,21 @@ pub(crate) fn encrypt_c1< "assert (Seq.equal $prf_input (Seq.append $randomness (Seq.create 1 $domain_separator))); assert ($prf_input == Seq.append $randomness (Seq.create 1 $domain_separator))" ); - let prf_output: [u8; ETA2_RANDOMNESS_SIZE] = Hasher::PRF(&prf_input); - let error_2 = sample_from_binomial_distribution::(&prf_output); + let mut prf_output = [0u8; ETA2_RANDOMNESS_SIZE]; + Hasher::PRF::(&prf_input, &mut prf_output); + sample_from_binomial_distribution::(&prf_output, &mut sampling_buffer); + PolynomialRingElement::from_i16_array(&sampling_buffer, error_2); // u := NTT^{-1}(AˆT ◦ rˆ) + e_1 - let u = compute_vector_u(matrix, &r_as_ntt, &error_1); + let mut u = from_fn(|_i| PolynomialRingElement::::ZERO()); + compute_vector_u::(matrix, r_as_ntt, &error_1, &mut u, scratch); // c_1 := Encode_{du}(Compress_q(u,d_u)) - compress_then_serialize_u::(u, ciphertext); - - (r_as_ntt, error_2) + compress_then_serialize_u::( + u, + ciphertext, + &mut scratch.coefficients[0], + ); } #[inline(always)] @@ -848,19 +925,31 @@ pub(crate) fn encrypt_c2< Vector: Operations, >( t_as_ntt: &[PolynomialRingElement; K], - r_as_ntt: &[PolynomialRingElement; K], + r_as_ntt: &[PolynomialRingElement], error_2: &PolynomialRingElement, message: &[u8; SHARED_SECRET_SIZE], ciphertext: &mut [u8], + scratch: &mut PolynomialRingElement, ) { // v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1) - let message_as_ring_element = deserialize_then_decompress_message(message); - let v = compute_ring_element_v(t_as_ntt, r_as_ntt, error_2, &message_as_ring_element); + let mut message_as_ring_element = PolynomialRingElement::::ZERO(); + deserialize_then_decompress_message(message, &mut message_as_ring_element); + let mut v = PolynomialRingElement::ZERO(); + compute_ring_element_v( + t_as_ntt, + r_as_ntt, + error_2, + &message_as_ring_element, + &mut v, + scratch, + ); hax_lib::fstar!("assert ($C2_LEN = Spec.MLKEM.v_C2_SIZE v_K)"); // c_2 := Encode_{dv}(Compress_q(v,d_v)) compress_then_serialize_ring_element_v::( - v, ciphertext, + v, + ciphertext, + &mut scratch.coefficients[0], ); } @@ -879,14 +968,17 @@ pub(crate) fn encrypt_c2< $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\ - $C2_LEN == Spec.MLKEM.v_C2_SIZE $K"#))] -#[hax_lib::ensures(|result| + $C2_LEN == Spec.MLKEM.v_C2_SIZE $K /\ + length $ciphertext == $CIPHERTEXT_SIZE /\ + length $r_as_ntt == $K"#))] +#[hax_lib::ensures(|_| fstar!(r#"let (expected, valid) = Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness in - valid ==> $result == expected"#) + valid ==> ${ciphertext}_future == expected /\ length ${ciphertext}_future == length $ciphertext"#) )] #[inline(always)] pub(crate) fn encrypt< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const T_AS_NTT_ENCODED_SIZE: usize, const C1_LEN: usize, @@ -898,20 +990,31 @@ pub(crate) fn encrypt< const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( public_key: &[u8], message: &[u8; SHARED_SECRET_SIZE], randomness: &[u8], -) -> [u8; CIPHERTEXT_SIZE] { + ciphertext: &mut [u8], + r_as_ntt: &mut [PolynomialRingElement], + error_2: &mut PolynomialRingElement, + scratch: &mut PolynomialRingElement, +) { hax_lib::fstar!(r#"reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt"#); - let unpacked_public_key = - build_unpacked_public_key::(public_key); + // XXX: Can we pass this in? + let mut unpacked_public_key = IndCpaPublicKeyUnpacked::::default(); + build_unpacked_public_key_mut::( + public_key, + &mut unpacked_public_key, + ); // After unpacking the public key we can now call the unpacked decryption. encrypt_unpacked::< K, + K_SQUARED, CIPHERTEXT_SIZE, T_AS_NTT_ENCODED_SIZE, C1_LEN, @@ -923,39 +1026,24 @@ pub(crate) fn encrypt< ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, Vector, Hasher, - >(&unpacked_public_key, message, randomness) -} - -#[inline(always)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ - length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))] -#[hax_lib::ensures(|result| fstar!(r#" - let (t_as_ntt_bytes, seed_for_A) = split public_key $T_AS_NTT_ENCODED_SIZE in - let t_as_ntt = Spec.MLKEM.vector_decode_12 #$K t_as_ntt_bytes in - let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #$K seed_for_A in - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${result.t_as_ntt} == t_as_ntt /\ - valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${result.A} == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"#))] -fn build_unpacked_public_key< - const K: usize, - const T_AS_NTT_ENCODED_SIZE: usize, - Vector: Operations, - Hasher: Hash, ->( - public_key: &[u8], -) -> IndCpaPublicKeyUnpacked { - let mut unpacked_public_key = IndCpaPublicKeyUnpacked::::default(); - build_unpacked_public_key_mut::( - public_key, - &mut unpacked_public_key, - ); - unpacked_public_key + >( + &unpacked_public_key, + message, + randomness, + ciphertext, + r_as_ntt, + error_2, + scratch, + ) } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v $K_SQUARED = v $K * v $K /\ $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\ length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K"#))] #[hax_lib::ensures(|_| { @@ -968,12 +1056,13 @@ fn build_unpacked_public_key< valid ==> Libcrux_ml_kem.Polynomial.to_spec_matrix_t #$K #$:Vector ${unpacked_public_key_future.A} == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)"#)}})] pub(crate) fn build_unpacked_public_key_mut< const K: usize, + const K_SQUARED: usize, const T_AS_NTT_ENCODED_SIZE: usize, Vector: Operations, - Hasher: Hash, + Hasher: Hash, >( public_key: &[u8], - unpacked_public_key: &mut IndCpaPublicKeyUnpacked, + unpacked_public_key: &mut IndCpaPublicKeyUnpacked, ) { // tˆ := Decode_12(pk) deserialize_ring_elements_reduced::( @@ -1005,9 +1094,11 @@ pub(crate) fn build_unpacked_public_key_mut< #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ - $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K"#))] -#[hax_lib::ensures(|res| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res == + $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\ + length $u_as_ntt == $K"#))] +#[hax_lib::ensures(|_| + fstar!(r#"Seq.length ${u_as_ntt}_future == v $K /\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${u_as_ntt}_future == Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K)))))"#) )] fn deserialize_then_decompress_u< @@ -1017,12 +1108,13 @@ fn deserialize_then_decompress_u< Vector: Operations, >( ciphertext: &[u8; CIPHERTEXT_SIZE], -) -> [PolynomialRingElement; K] { + u_as_ntt: &mut [PolynomialRingElement], + scratch: &mut Vector, +) { hax_lib::fstar!( "assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! $U_COMPRESSION_FACTOR ) /! sz 8) == v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))" ); - let mut u_as_ntt = from_fn(|_| PolynomialRingElement::::ZERO()); cloop! { for (i, u_bytes) in ciphertext .chunks_exact((COEFFICIENTS_IN_RING_ELEMENT * U_COMPRESSION_FACTOR) / 8) @@ -1034,8 +1126,8 @@ fn deserialize_then_decompress_u< Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v $U_COMPRESSION_FACTOR) (Seq.slice $ciphertext (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K)) (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE $K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE $K))))"#) }); - u_as_ntt[i] = deserialize_then_decompress_ring_element_u::(u_bytes); - ntt_vector_u::(&mut u_as_ntt[i]); + deserialize_then_decompress_ring_element_u::(u_bytes, &mut u_as_ntt[i]); + ntt_vector_u::(&mut u_as_ntt[i], scratch); } } hax_lib::fstar!( @@ -1044,22 +1136,23 @@ fn deserialize_then_decompress_u< (Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K))))))" ); - u_as_ntt } /// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 800 --ext context_pruning")] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + Seq.length $secret_as_ntt == v $K /\ length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\ v (${secret_key.len()}) / v $BYTES_PER_RING_ELEMENT <= v $K"#))] #[hax_lib::ensures(|()| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $secret_as_ntt == + fstar!(r#"Seq.length ${secret_as_ntt}_future == v $K /\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $secret_as_ntt == Spec.MLKEM.vector_decode_12 #$K $secret_key"#) )] pub(crate) fn deserialize_vector( secret_key: &[u8], - secret_as_ntt: &mut [PolynomialRingElement; K], + secret_as_ntt: &mut [PolynomialRingElement], ) { hax_lib::fstar!(r#"assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial)"#); @@ -1075,8 +1168,9 @@ pub(crate) fn deserialize_vector( (j * v $BYTES_PER_RING_ELEMENT + v $BYTES_PER_RING_ELEMENT))"# ) }); - secret_as_ntt[i] = deserialize_to_uncompressed_ring_element( + deserialize_to_uncompressed_ring_element( &secret_key[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT], + &mut secret_as_ntt[i], ); } hax_lib::fstar!( @@ -1113,10 +1207,11 @@ pub(crate) fn deserialize_vector( $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\ $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\ - $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K"#))] -#[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.MLKEM.ind_cpa_decrypt_unpacked $K $ciphertext - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${secret_key}.f_secret_as_ntt)"#) + $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K /\ + length $decrypted == ${crate::constants::SHARED_SECRET_SIZE}"#))] +#[hax_lib::ensures(|_| + fstar!(r#"${decrypted}_future == Spec.MLKEM.ind_cpa_decrypt_unpacked $K $ciphertext + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${secret_key}.f_secret_as_ntt) /\ length ${decrypted}_future == length $decrypted"#) )] #[inline(always)] pub(crate) fn decrypt_unpacked< @@ -1129,20 +1224,34 @@ pub(crate) fn decrypt_unpacked< >( secret_key: &IndCpaPrivateKeyUnpacked, ciphertext: &[u8; CIPHERTEXT_SIZE], -) -> [u8; SHARED_SECRET_SIZE] { + decrypted: &mut [u8], + scratch: &mut PolynomialRingElement, +) { // u := Decompress_q(Decode_{d_u}(c), d_u) - let u_as_ntt = deserialize_then_decompress_u::( + let mut u_as_ntt = from_fn(|_| PolynomialRingElement::::ZERO()); + deserialize_then_decompress_u::( ciphertext, + &mut u_as_ntt, + &mut scratch.coefficients[0], ); // v := Decompress_q(Decode_{d_v}(c + d_u·k·n / 8), d_v) - let v = deserialize_then_decompress_ring_element_v::( + let mut v = PolynomialRingElement::::ZERO(); + deserialize_then_decompress_ring_element_v::( &ciphertext[VECTOR_U_ENCODED_SIZE..], + &mut v, ); // m := Encode_1(Compress_q(v − NTT^{−1}(sˆT ◦ NTT(u)) , 1)) - let message = compute_message(&v, &secret_key.secret_as_ntt, &u_as_ntt); - compress_then_serialize_message(message) + let mut message = PolynomialRingElement::::ZERO(); + compute_message( + &v, + &secret_key.secret_as_ntt, + &u_as_ntt, + &mut message, + scratch, + ); + compress_then_serialize_message(&message, decrypted, &mut scratch.coefficients[0]); } #[allow(non_snake_case)] @@ -1151,9 +1260,10 @@ pub(crate) fn decrypt_unpacked< $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\ $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K /\ $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\ - $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K"#))] -#[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.MLKEM.ind_cpa_decrypt $K $secret_key $ciphertext"#) + $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\ + length $decrypted == ${crate::constants::SHARED_SECRET_SIZE}"#))] +#[hax_lib::ensures(|_| + fstar!(r#"${decrypted}_future == Spec.MLKEM.ind_cpa_decrypt $K $secret_key $ciphertext /\ length ${decrypted}_future == length $decrypted"#) )] #[inline(always)] pub(crate) fn decrypt< @@ -1166,7 +1276,9 @@ pub(crate) fn decrypt< >( secret_key: &[u8], ciphertext: &[u8; CIPHERTEXT_SIZE], -) -> [u8; SHARED_SECRET_SIZE] { + decrypted: &mut [u8], + scratch: &mut PolynomialRingElement, +) { hax_lib::fstar!(r#"reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt"#); // sˆ := Decode_12(sk) let mut secret_key_unpacked = IndCpaPrivateKeyUnpacked { @@ -1181,5 +1293,5 @@ pub(crate) fn decrypt< U_COMPRESSION_FACTOR, V_COMPRESSION_FACTOR, Vector, - >(&secret_key_unpacked, ciphertext) + >(&secret_key_unpacked, ciphertext, decrypted, scratch); } diff --git a/libcrux-ml-kem/src/invert_ntt.rs b/libcrux-ml-kem/src/invert_ntt.rs index f29672171..b5c676021 100644 --- a/libcrux-ml-kem/src/invert_ntt.rs +++ b/libcrux-ml-kem/src/invert_ntt.rs @@ -1,7 +1,7 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{zeta, PolynomialRingElement}, - vector::{Operations, FIELD_ELEMENTS_IN_VECTOR}, + polynomial::{zeta, PolynomialRingElement, VECTORS_IN_RING_ELEMENT}, + vector::{traits::montgomery_multiply_fe, Operations, FIELD_ELEMENTS_IN_VECTOR}, }; #[inline(always)] @@ -13,7 +13,7 @@ use crate::{ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ]))" )] #[hax_lib::fstar::before( interface, @@ -22,7 +22,7 @@ use crate::{ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ]))" )] #[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 128 /\ invert_ntt_re_range_1 $re"#))] @@ -43,19 +43,19 @@ pub(crate) fn invert_ntt_at_layer_1( r#"v zeta_i == v $_zeta_i_init - v $round * 4 /\ (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))) /\ (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))"# ) }); *zeta_i -= 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); - re.coefficients[round] = Vector::inv_ntt_layer_1_step( - re.coefficients[round], + Vector::inv_ntt_layer_1_step( + &mut re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i - 1), zeta(*zeta_i - 2), @@ -65,11 +65,11 @@ pub(crate) fn invert_ntt_at_layer_1( hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); hax_lib::fstar!( "assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ $round ])))" ); } } @@ -94,28 +94,32 @@ pub(crate) fn invert_ntt_at_layer_2( r#"v zeta_i == v $_zeta_i_init - v $round * 2 /\ (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))) /\ (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))"# ) }); *zeta_i -= 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# + ); + + Vector::inv_ntt_layer_2_step( + &mut re.coefficients[round], + zeta(*zeta_i), + zeta(*zeta_i - 1), ); - re.coefficients[round] = - Vector::inv_ntt_layer_2_step(re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i - 1)); *zeta_i -= 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); hax_lib::fstar!( "assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ $round ])))" ); } } @@ -140,52 +144,62 @@ pub(crate) fn invert_ntt_at_layer_3( r#"v zeta_i == v $_zeta_i_init - v $round /\ (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))) /\ (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))"# ) }); *zeta_i -= 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); - re.coefficients[round] = - Vector::inv_ntt_layer_3_step(re.coefficients[round], zeta(*zeta_i)); + Vector::inv_ntt_layer_3_step(&mut re.coefficients[round], zeta(*zeta_i)); hax_lib::fstar!( "reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))" ); hax_lib::fstar!( "assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ $round ])))" ); } } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta_r /\ + v $a < 16 /\ v $b < 16 /\ + (let vec_a = Seq.index $coefficients (v $a) in + let vec_b = Seq.index $coefficients (v $b) in (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\ + (v (Seq.index (i0._super_6081346371236564305.f_repr vec_b) i) - + v (Seq.index (i0._super_6081346371236564305.f_repr vec_a) i))) /\ (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\ - Spec.Utils.is_i16b_array 28296 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array - (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"#))] + (v (Seq.index (i0._super_6081346371236564305.f_repr vec_b) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr vec_a) i))) /\ + Spec.Utils.is_i16b_array 28296 (i0._super_6081346371236564305.f_repr + (Libcrux_ml_kem.Vector.Traits.f_add vec_a vec_b)))"#))] pub(crate) fn inv_ntt_layer_int_vec_step_reduce( - mut a: Vector, - mut b: Vector, + coefficients: &mut [Vector; VECTORS_IN_RING_ELEMENT], + a: usize, + b: usize, + scratch: &mut PolynomialRingElement, zeta_r: i16, -) -> (Vector, Vector) { - let a_minus_b = Vector::sub(b, &a); - a = Vector::barrett_reduce(Vector::add(a, &b)); - b = Vector::montgomery_multiply_by_constant(a_minus_b, zeta_r); - (a, b) +) { + // XXX: The following copies should be explicit clones, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copies until a Eurydice issue is resolved. + scratch.coefficients[0] = coefficients[a]; //.clone(); + scratch.coefficients[1] = coefficients[b]; //.clone(); + + Vector::add(&mut coefficients[a], &scratch.coefficients[1]); + Vector::sub(&mut coefficients[b], &scratch.coefficients[0]); + Vector::barrett_reduce(&mut coefficients[a]); + montgomery_multiply_fe::(&mut coefficients[b], zeta_r); } #[inline(always)] @@ -195,24 +209,25 @@ pub(crate) fn invert_ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, layer: usize, + scratch: &mut PolynomialRingElement, ) { let step = 1 << layer; + let step_vec = step / FIELD_ELEMENTS_IN_VECTOR; for round in 0..(128 >> layer) { *zeta_i -= 1; - let offset = round * step * 2; - let offset_vec = offset / FIELD_ELEMENTS_IN_VECTOR; - let step_vec = step / FIELD_ELEMENTS_IN_VECTOR; + let a_offset = round * 2 * step_vec; + let b_offset = a_offset + step_vec; - for j in offset_vec..offset_vec + step_vec { - let (x, y) = inv_ntt_layer_int_vec_step_reduce( - re.coefficients[j], - re.coefficients[j + step_vec], + for j in 0..step_vec { + inv_ntt_layer_int_vec_step_reduce( + &mut re.coefficients, + a_offset + j, + b_offset + j, + scratch, zeta(*zeta_i), ); - re.coefficients[j] = x; - re.coefficients[j + step_vec] = y; } } } @@ -222,6 +237,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus( #[hax_lib::requires(fstar!(r#"invert_ntt_re_range_1 $re"#))] pub(crate) fn invert_ntt_montgomery( re: &mut PolynomialRingElement, + scratch: &mut PolynomialRingElement, ) { // We only ever call this function after matrix/vector multiplication hax_debug_assert!(to_i16_array(re) @@ -233,10 +249,10 @@ pub(crate) fn invert_ntt_montgomery( invert_ntt_at_layer_1(&mut zeta_i, re); invert_ntt_at_layer_2(&mut zeta_i, re); invert_ntt_at_layer_3(&mut zeta_i, re); - invert_ntt_at_layer_4_plus(&mut zeta_i, re, 4); - invert_ntt_at_layer_4_plus(&mut zeta_i, re, 5); - invert_ntt_at_layer_4_plus(&mut zeta_i, re, 6); - invert_ntt_at_layer_4_plus(&mut zeta_i, re, 7); + invert_ntt_at_layer_4_plus(&mut zeta_i, re, 4, scratch); + invert_ntt_at_layer_4_plus(&mut zeta_i, re, 5, scratch); + invert_ntt_at_layer_4_plus(&mut zeta_i, re, 6, scratch); + invert_ntt_at_layer_4_plus(&mut zeta_i, re, 7, scratch); hax_debug_assert!( to_i16_array(re)[0].abs() < 128 * (K as i16) * FIELD_MODULUS @@ -248,5 +264,5 @@ pub(crate) fn invert_ntt_montgomery( .skip(2) .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * FIELD_MODULUS)); - re.poly_barrett_reduce() + re.poly_barrett_reduce(); } diff --git a/libcrux-ml-kem/src/lib.rs b/libcrux-ml-kem/src/lib.rs index 3c34e6624..1ecded521 100644 --- a/libcrux-ml-kem/src/lib.rs +++ b/libcrux-ml-kem/src/lib.rs @@ -1,8 +1,7 @@ //! # ML-KEM //! -//! This crate implements all three ML-KEM variants 512, 768, and 1024. It is -//! formally verified using [hax](https://cryspen.com/hax) and -//! [F*](https://fstar-lang.org). +//! This crate implements all three ML-KEM variants 512, 768, +//! and 1024. //! //! Functions in this crate use CPU feature detection to pick the most efficient version //! on each platform. To use a specific version with your own feature detection @@ -68,6 +67,8 @@ #![deny(unsafe_code)] #![warn(rust_2018_idioms, unused_lifetimes, unused_qualifications)] #![allow(clippy::needless_range_loop)] +// XXX: We make clones explicit, since we would like to drop `Vector: Copy` in the future. +#![allow(clippy::clone_on_copy)] #![warn(missing_docs)] // Enable doc cfg feature for doc builds. They use nightly. #![cfg_attr(doc_cfg, feature(doc_cfg))] @@ -178,6 +179,7 @@ cfg_kyber! { } } +#[cfg(not(hax))] macro_rules! impl_kem_trait { ($variant:ty, $pk:ty, $sk:ty, $ct:ty) => { impl @@ -192,42 +194,50 @@ macro_rules! impl_kem_trait { { fn keygen( ek: &mut [u8; CPA_PKE_PUBLIC_KEY_SIZE], - dk: &mut [u8; SECRET_KEY_SIZE], - rand: &[u8; KEY_GENERATION_SEED_SIZE], + dk: &mut [libcrux_secrets::U8; SECRET_KEY_SIZE], + rand: &[libcrux_secrets::U8; KEY_GENERATION_SEED_SIZE], ) -> Result<(), libcrux_traits::kem::owned::KeyGenError> { - let key_pair = generate_key_pair(*rand); + use libcrux_secrets::{ClassifyRef, Declassify}; + + // Declassification: ML-KEM public API does not support secret types, yet. + let key_pair = generate_key_pair((*rand).declassify()); ek.copy_from_slice(key_pair.pk()); - dk.copy_from_slice(key_pair.sk()); + dk.copy_from_slice(key_pair.sk().classify_ref()); Ok(()) } fn encaps( ct: &mut [u8; CPA_PKE_CIPHERTEXT_SIZE], - ss: &mut [u8; SHARED_SECRET_SIZE], + ss: &mut [libcrux_secrets::U8; SHARED_SECRET_SIZE], ek: &[u8; CPA_PKE_PUBLIC_KEY_SIZE], - rand: &[u8; SHARED_SECRET_SIZE], + rand: &[libcrux_secrets::U8; SHARED_SECRET_SIZE], ) -> Result<(), libcrux_traits::kem::owned::EncapsError> { + use libcrux_secrets::{ClassifyRef, Declassify}; let public_key: $pk = ek.into(); - let (ct_, ss_) = encapsulate(&public_key, *rand); + // Declassification: ML-KEM public API does not support secret types, yet. + let (ct_, ss_) = encapsulate(&public_key, (*rand).declassify()); ct.copy_from_slice(ct_.as_slice()); - ss.copy_from_slice(ss_.as_slice()); + ss.copy_from_slice(ss_.as_slice().classify_ref()); Ok(()) } fn decaps( - ss: &mut [u8; SHARED_SECRET_SIZE], + ss: &mut [libcrux_secrets::U8; SHARED_SECRET_SIZE], ct: &[u8; CPA_PKE_CIPHERTEXT_SIZE], - dk: &[u8; SECRET_KEY_SIZE], + dk: &[libcrux_secrets::U8; SECRET_KEY_SIZE], ) -> Result<(), libcrux_traits::kem::owned::DecapsError> { - let secret_key: $sk = dk.into(); + use libcrux_secrets::{ClassifyRef, Declassify}; + + // Declassification: ML-KEM public API does not support secret types, yet. + let secret_key: $sk = dk.declassify().into(); let ciphertext: $ct = ct.into(); let ss_ = decapsulate(&secret_key, &ciphertext); - ss.copy_from_slice(ss_.as_slice()); + ss.copy_from_slice(ss_.as_slice().classify_ref()); Ok(()) } @@ -240,4 +250,5 @@ macro_rules! impl_kem_trait { }; } +#[cfg(not(hax))] use impl_kem_trait; diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs index 3cbe92679..4bbb42dd8 100644 --- a/libcrux-ml-kem/src/matrix.rs +++ b/libcrux-ml-kem/src/matrix.rs @@ -3,108 +3,139 @@ use crate::{ polynomial::PolynomialRingElement, sampling::sample_from_xof, vector::Operations, }; +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + v i < v $K /\ v j < v $K /\ + Seq.length $matrix == v $K * v $K"#))] +#[hax_lib::ensures(|result| fstar!(r#"result == Seq.index matrix (v $i * v $K + v $j)"#))] +pub(crate) fn entry( + matrix: &[PolynomialRingElement], + i: usize, + j: usize, +) -> &PolynomialRingElement { + debug_assert!(matrix.len() == K * K); + debug_assert!(i < K); + debug_assert!(j < K); + &matrix[i * K + j] +} + +//XXX: This would be nice to have, but hax can't handle it (2025-08-07). +// pub(crate) fn entry_mut( +// matrix: &mut [PolynomialRingElement], +// i: usize, +// j: usize, +// ) -> &mut PolynomialRingElement { +// debug_assert!(matrix.len() == K * K); +// debug_assert!(i < K); +// debug_assert!(j < K); +// &mut matrix[i * K + j] +// } + #[inline(always)] #[allow(non_snake_case)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))] +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + Seq.length ${A_transpose} == v $K * v $K"#))] #[hax_lib::ensures(|res| - fstar!(r#"let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in + fstar!(r#" + Seq.length ${A_transpose}_future == v $K * v $K /\ + (let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in valid ==> ( if $transpose then Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == matrix_A - else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)"#) + else Libcrux_ml_kem.Polynomial.to_spec_matrix_t (${A_transpose}_future <: t_Array _ ($K *! $K)) == Spec.MLKEM.matrix_transpose matrix_A))"#) )] -pub(crate) fn sample_matrix_A>( - A_transpose: &mut [[PolynomialRingElement; K]; K], +pub(crate) fn sample_matrix_A( + A_transpose: &mut [PolynomialRingElement], seed: &[u8; 34], transpose: bool, ) { + debug_assert!(A_transpose.len() == K * K); + for i in 0..K { - let mut seeds = [seed.clone(); K]; + let mut seeds = [*seed; K]; for j in 0..K { seeds[j][32] = i as u8; seeds[j][33] = j as u8; } - let sampled = sample_from_xof::(&seeds); + let mut sampled_coefficients = [0usize; K]; + let mut out = [[0i16; 272]; K]; + sample_from_xof::(&seeds, &mut sampled_coefficients, &mut out); cloop! { - for (j, sample) in sampled.into_iter().enumerate() { + for (j, sample) in out.into_iter().enumerate() { // A[i][j] = A_transpose[j][i] if transpose { - A_transpose[j][i] = sample; + PolynomialRingElement::from_i16_array(&sample[..256], &mut A_transpose[j * K + i]); } else { - A_transpose[i][j] = sample; + PolynomialRingElement::from_i16_array(&sample[..256], &mut A_transpose[i * K + j]); // XXX: in this case we might want to copy all of sample at once } } } } - () } -/// The following functions compute various expressions involving -/// vectors and matrices. The computation of these expressions has been -/// abstracted away into these functions in order to save on loop iterations. +// The following functions compute various expressions involving +// vectors and matrices. The computation of these expressions has been +// abstracted away into these functions in order to save on loop iterations. /// Compute v − InverseNTT(sᵀ ◦ NTT(u)) #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))] -#[hax_lib::ensures(|res| +#[hax_lib::ensures(|_| fstar!(r#"let open Libcrux_ml_kem.Polynomial in let secret_spec = to_spec_vector_t $secret_as_ntt in let u_spec = to_spec_vector_t $u_as_ntt in let v_spec = to_spec_poly_t $v in - to_spec_poly_t $res == + to_spec_poly_t ${result}_future == Spec.MLKEM.(poly_sub v_spec (poly_inv_ntt (vector_dot_product_ntt #$K secret_spec u_spec))) /\ - Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $res"#) + Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 ${result}_future"#) )] pub(crate) fn compute_message( v: &PolynomialRingElement, secret_as_ntt: &[PolynomialRingElement; K], u_as_ntt: &[PolynomialRingElement; K], -) -> PolynomialRingElement { - let mut result = PolynomialRingElement::::ZERO(); - + result: &mut PolynomialRingElement, + scratch: &mut PolynomialRingElement, +) { for i in 0..K { - let product = secret_as_ntt[i].ntt_multiply(&u_as_ntt[i]); - result.add_to_ring_element::(&product); + secret_as_ntt[i].ntt_multiply(&u_as_ntt[i], scratch); + result.add_to_ring_element::(scratch); } - invert_ntt_montgomery::(&mut result); - result = v.subtract_reduce(result); - - result + invert_ntt_montgomery::(result, scratch); + v.subtract_reduce(result); } /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))] -#[hax_lib::ensures(|res| +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + Seq.length $r_as_ntt == v $K +"#))] +#[hax_lib::ensures(|_| fstar!(r#"let open Libcrux_ml_kem.Polynomial in let tt_spec = to_spec_vector_t $t_as_ntt in let r_spec = to_spec_vector_t $r_as_ntt in let e2_spec = to_spec_poly_t $error_2 in let m_spec = to_spec_poly_t $message in - let res_spec = to_spec_poly_t $res in + let res_spec = to_spec_poly_t ${result}_future in res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\ - Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $res"#) + Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 ${result}_future"#) )] pub(crate) fn compute_ring_element_v( t_as_ntt: &[PolynomialRingElement; K], - r_as_ntt: &[PolynomialRingElement; K], + r_as_ntt: &[PolynomialRingElement], error_2: &PolynomialRingElement, message: &PolynomialRingElement, -) -> PolynomialRingElement { - let mut result = PolynomialRingElement::::ZERO(); - + result: &mut PolynomialRingElement, + scratch: &mut PolynomialRingElement, +) { for i in 0..K { - let product = t_as_ntt[i].ntt_multiply(&r_as_ntt[i]); - result.add_to_ring_element::(&product); + t_as_ntt[i].ntt_multiply(&r_as_ntt[i], scratch); + result.add_to_ring_element::(scratch); } - invert_ntt_montgomery::(&mut result); - result = error_2.add_message_error_reduce(message, result); - - result + invert_ntt_montgomery::(result, scratch); + error_2.add_message_error_reduce(message, result, &mut scratch.coefficients[0]); } /// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ @@ -112,48 +143,56 @@ pub(crate) fn compute_ring_element_v( #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#" Spec.MLKEM.is_rank $K /\ + Seq.length $a_as_ntt == v $K /\ + Seq.length $r_as_ntt == v $K /\ + Seq.length $error_1 == v $K /\ + Seq.length $result == v $K /\ (forall (i:nat). i < v $K ==> Libcrux_ml_kem.Polynomial.is_bounded_poly 7 (Seq.index ${error_1} i))"#))] -#[hax_lib::ensures(|res| +#[hax_lib::ensures(|_| fstar!(r#"let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t $a_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e_spec = to_spec_vector_t $error_1 in - let res_spec = to_spec_vector_t $res in + Seq.length $a_as_ntt == v $K * v $K /\ + Seq.length $r_as_ntt == v $K /\ + Seq.length $error_1 == v $K /\ + Seq.length $result == v $K /\ + (let a_spec = to_spec_matrix_t ($a_as_ntt <: t_Array _ ($K *! $K)) in + let r_spec = to_spec_vector_t ($r_as_ntt <: t_Array _ $K) in + let e_spec = to_spec_vector_t ($error_1 <: t_Array _ $K) in + let res_spec = to_spec_vector_t (${result}_future <: t_Array _ $K) in + Seq.length ${result}_future == v $K /\ res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\ (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 (Seq.index $res i))"#) + Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 (Seq.index ${result}_future i)))"#) )] pub(crate) fn compute_vector_u( - a_as_ntt: &[[PolynomialRingElement; K]; K], - r_as_ntt: &[PolynomialRingElement; K], - error_1: &[PolynomialRingElement; K], -) -> [PolynomialRingElement; K] { - let mut result = core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); - - cloop! { - for (i, row) in a_as_ntt.iter().enumerate() { - cloop! { - for (j, a_element) in row.iter().enumerate() { - let product = a_element.ntt_multiply(&r_as_ntt[j]); - result[i].add_to_ring_element::(&product); - } - } + a_as_ntt: &[PolynomialRingElement], + r_as_ntt: &[PolynomialRingElement], + error_1: &[PolynomialRingElement], + result: &mut [PolynomialRingElement], + scratch: &mut PolynomialRingElement, +) { + debug_assert!(a_as_ntt.len() == K * K); + debug_assert!(r_as_ntt.len() == K); + debug_assert!(error_1.len() == K); - invert_ntt_montgomery::(&mut result[i]); - result[i].add_error_reduce(&error_1[i]); + for i in 0..K { + for j in 0..K { + entry::(a_as_ntt, i, j).ntt_multiply(&r_as_ntt[j], scratch); + result[i].add_to_ring_element::(scratch); } - } - result + invert_ntt_montgomery::(&mut result[i], scratch); + result[i].add_error_reduce(&error_1[i]); + } } /// Compute  ◦ ŝ + ê #[inline(always)] #[allow(non_snake_case)] #[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K"#))] -#[hax_lib::ensures(|res| +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.is_rank $K /\ + Seq.length $matrix_A == v $K * v $K"#))] +#[hax_lib::ensures(|_| fstar!(r#"let open Libcrux_ml_kem.Polynomial in to_spec_vector_t ${t_as_ntt}_future = Spec.MLKEM.compute_As_plus_e_ntt @@ -165,23 +204,20 @@ pub(crate) fn compute_vector_u( )] pub(crate) fn compute_As_plus_e( t_as_ntt: &mut [PolynomialRingElement; K], - matrix_A: &[[PolynomialRingElement; K]; K], + matrix_A: &[PolynomialRingElement], s_as_ntt: &[PolynomialRingElement; K], error_as_ntt: &[PolynomialRingElement; K], + scratch: &mut PolynomialRingElement, ) { - cloop! { - for (i, row) in matrix_A.iter().enumerate() { - // This may be externally provided memory. Ensure that `t_as_ntt` - // is all 0. - t_as_ntt[i] = PolynomialRingElement::::ZERO(); - cloop! { - for (j, matrix_element) in row.iter().enumerate() { - let product = matrix_element.ntt_multiply(&s_as_ntt[j]); - t_as_ntt[i].add_to_ring_element::(&product); - } - } - t_as_ntt[i].add_standard_error_reduce(&error_as_ntt[i]); + for i in 0..K { + // This may be externally provided memory. Ensure that `t_as_ntt` + // is all 0. + t_as_ntt[i] = PolynomialRingElement::::ZERO(); + + for j in 0..K { + entry::(matrix_A, i, j).ntt_multiply(&s_as_ntt[j], scratch); + t_as_ntt[i].add_to_ring_element::(scratch); } - }; - () + t_as_ntt[i].add_standard_error_reduce(&error_as_ntt[i]); + } } diff --git a/libcrux-ml-kem/src/mlkem.rs b/libcrux-ml-kem/src/mlkem.rs index c3aca77eb..f28e9fe0e 100644 --- a/libcrux-ml-kem/src/mlkem.rs +++ b/libcrux-ml-kem/src/mlkem.rs @@ -86,12 +86,14 @@ macro_rules! impl_incr_key_size { pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> Box { multiplexing::alloc::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, RANKED_BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1 >(randomness) } @@ -102,6 +104,7 @@ macro_rules! impl_incr_key_size { ) -> (Ciphertext1, Box, [u8; SHARED_SECRET_SIZE]) { multiplexing::alloc::encapsulate1::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -110,6 +113,8 @@ macro_rules! impl_incr_key_size { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key_part, randomness) } @@ -133,6 +138,7 @@ macro_rules! impl_incr_key_size { ) -> MlKemSharedSecret { multiplexing::alloc::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -147,6 +153,8 @@ macro_rules! impl_incr_key_size { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } @@ -218,6 +226,7 @@ macro_rules! impl_incr_key_size { pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut [u8]) -> Result<(), Error> { multiplexing::generate_keypair::< RANK, + RANK_SQUARED, RANKED_BYTES_PER_RING_ELEMENT, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, @@ -225,6 +234,7 @@ macro_rules! impl_incr_key_size { RANKED_BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1 >(randomness, key_pair) } /// An encoded, compressed, incremental key pair. @@ -296,6 +306,7 @@ macro_rules! impl_incr_key_size { pub fn generate_key_pair_compressed(randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut [u8; COMPRESSED_KEYPAIR_LEN]) { multiplexing::generate_keypair_compressed::< RANK, + RANK_SQUARED, RANKED_BYTES_PER_RING_ELEMENT, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, @@ -303,6 +314,7 @@ macro_rules! impl_incr_key_size { RANKED_BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, COMPRESSED_KEYPAIR_LEN, >(randomness, key_pair) } @@ -351,6 +363,7 @@ macro_rules! impl_incr_key_size { multiplexing::encapsulate1::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -359,6 +372,8 @@ macro_rules! impl_incr_key_size { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(&public_key_part, randomness, state, shared_secret) } @@ -387,6 +402,7 @@ macro_rules! impl_incr_key_size { multiplexing::encapsulate1::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -395,6 +411,8 @@ macro_rules! impl_incr_key_size { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(&public_key_part, randomness, state, shared_secret) } } @@ -416,6 +434,7 @@ macro_rules! impl_incr_key_size { ) -> Result { multiplexing::decapsulate::< RANK, + RANK_SQUARED, RANKED_BYTES_PER_RING_ELEMENT, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, @@ -431,6 +450,8 @@ macro_rules! impl_incr_key_size { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } @@ -443,6 +464,7 @@ macro_rules! impl_incr_key_size { ) -> MlKemSharedSecret { multiplexing::decapsulate_compressed::< RANK, + RANK_SQUARED, RANKED_BYTES_PER_RING_ELEMENT, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, @@ -458,6 +480,8 @@ macro_rules! impl_incr_key_size { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext1, ciphertext2) } @@ -471,9 +495,9 @@ macro_rules! impl_incr_platform { /// /// **PANICS** is the cast fails #[cfg(feature = "alloc")] - pub(super) fn as_keypair( + pub(super) fn as_keypair( k: &dyn core::any::Any, - ) -> &MlKemKeyPairUnpacked { + ) -> &MlKemKeyPairUnpacked { k.downcast_ref().unwrap() } @@ -488,22 +512,26 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn generate_keypair< const K: usize, + const K_SQUARED: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], - ) -> MlKemKeyPairUnpacked { + ) -> MlKemKeyPairUnpacked { super::generate_keypair::< K, + K_SQUARED, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, $vector, $hash, >(randomness) @@ -512,6 +540,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn generate_keypair_serialized< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, @@ -519,22 +548,25 @@ macro_rules! impl_incr_platform { const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut [u8], ) -> Result<(), Error> { - if key_pair.len() < KeyPair::::num_bytes() { + if key_pair.len() < KeyPair::::num_bytes() { return Err(Error::InvalidOutputLength); } super::generate_keypair_serialized::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, $vector, $hash, >(randomness, key_pair) @@ -543,6 +575,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn generate_keypair_compressed< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, @@ -550,6 +583,7 @@ macro_rules! impl_incr_platform { const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, const COMPRESSED_KEYPAIR_LEN: usize, >( randomness: [u8; KEY_GENERATION_SEED_SIZE], @@ -557,12 +591,14 @@ macro_rules! impl_incr_platform { ) { super::generate_keypair_compressed::< K, + K_SQUARED, PK2_LEN, CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, COMPRESSED_KEYPAIR_LEN, $vector, $hash, @@ -588,6 +624,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn encapsulate1< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const C1_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, @@ -596,6 +633,8 @@ macro_rules! impl_incr_platform { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key_part: &PublicKey1, randomness: [u8; SHARED_SECRET_SIZE], @@ -606,6 +645,7 @@ macro_rules! impl_incr_platform { ) { super::encapsulate1::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -614,6 +654,8 @@ macro_rules! impl_incr_platform { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, $vector, $hash, >(public_key_part, randomness) @@ -622,6 +664,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn encapsulate1_serialized< const K: usize, + const K_SQUARED: usize, const CIPHERTEXT_SIZE: usize, const C1_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, @@ -630,6 +673,8 @@ macro_rules! impl_incr_platform { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, >( public_key_part: &PublicKey1, randomness: [u8; SHARED_SECRET_SIZE], @@ -638,6 +683,7 @@ macro_rules! impl_incr_platform { ) -> Result, Error> { super::encapsulate1_serialized::< K, + K_SQUARED, CIPHERTEXT_SIZE, C1_SIZE, VECTOR_U_COMPRESSION_FACTOR, @@ -646,6 +692,8 @@ macro_rules! impl_incr_platform { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, $vector, $hash, >(public_key_part, randomness, state, shared_secret) @@ -691,6 +739,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn decapsulate< const K: usize, + const K_SQUARED: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, @@ -705,14 +754,17 @@ macro_rules! impl_incr_platform { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( - private_key: &MlKemKeyPairUnpacked, + private_key: &MlKemKeyPairUnpacked, ciphertext1: &Ciphertext1, ciphertext2: &Ciphertext2, ) -> MlKemSharedSecret { super::decapsulate::< K, + K_SQUARED, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, @@ -727,6 +779,8 @@ macro_rules! impl_incr_platform { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, $vector, $hash, @@ -736,6 +790,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn decapsulate_incremental_key< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, @@ -751,6 +806,8 @@ macro_rules! impl_incr_platform { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &[u8], @@ -759,6 +816,7 @@ macro_rules! impl_incr_platform { ) -> Result { super::decapsulate_incremental_key::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -774,6 +832,8 @@ macro_rules! impl_incr_platform { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, $vector, $hash, @@ -783,6 +843,7 @@ macro_rules! impl_incr_platform { $(#[$meta])* pub(crate) $($unsafe)? fn decapsulate_compressed_key< const K: usize, + const K_SQUARED: usize, const PK2_LEN: usize, const SECRET_KEY_SIZE: usize, const CPA_SECRET_KEY_SIZE: usize, @@ -798,6 +859,8 @@ macro_rules! impl_incr_platform { const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, const ETA2_RANDOMNESS_SIZE: usize, + const PRF_OUTPUT_SIZE1: usize, + const PRF_OUTPUT_SIZE2: usize, const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, >( private_key: &[u8; SECRET_KEY_SIZE], @@ -806,6 +869,7 @@ macro_rules! impl_incr_platform { ) -> MlKemSharedSecret { super::decapsulate_compressed_key::< K, + K_SQUARED, PK2_LEN, SECRET_KEY_SIZE, CPA_SECRET_KEY_SIZE, @@ -821,6 +885,8 @@ macro_rules! impl_incr_platform { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, $vector, $hash, diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs index b7fbb2b95..b8d0dce22 100644 --- a/libcrux-ml-kem/src/mlkem1024.rs +++ b/libcrux-ml-kem/src/mlkem1024.rs @@ -2,6 +2,7 @@ use super::{constants::*, ind_cca::*, types::*, *}; const RANK: usize = 4; +const RANK_SQUARED: usize = RANK * RANK; #[cfg(any(feature = "incremental", eurydice))] const RANKED_BYTES_PER_RING_ELEMENT: usize = RANK * BITS_PER_RING_ELEMENT / 8; const T_AS_NTT_ENCODED_SIZE: usize = @@ -23,6 +24,9 @@ const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; const ETA2: usize = 2; const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; +const PRF_OUTPUT_SIZE1: usize = ETA1_RANDOMNESS_SIZE * RANK; +const PRF_OUTPUT_SIZE2: usize = ETA2_RANDOMNESS_SIZE * RANK; + const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE; /// The ML-KEM 1024 algorithms @@ -107,11 +111,13 @@ macro_rules! instantiate { ) -> MlKem1024KeyPair { p::kyber_generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -122,11 +128,13 @@ macro_rules! instantiate { ) -> MlKem1024KeyPair { p::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -141,7 +149,8 @@ macro_rules! instantiate { randomness: [u8; SHARED_SECRET_SIZE], ) -> (MlKem1024Ciphertext, MlKemSharedSecret) { p::encapsulate::< - RANK, + RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -154,6 +163,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -170,7 +181,8 @@ macro_rules! instantiate { randomness: [u8; SHARED_SECRET_SIZE], ) -> (MlKem1024Ciphertext, MlKemSharedSecret) { p::kyber_encapsulate::< - RANK, + RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -183,6 +195,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -196,7 +210,8 @@ macro_rules! instantiate { ciphertext: &MlKem1024Ciphertext, ) -> MlKemSharedSecret { p::decapsulate::< - RANK, + RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -211,6 +226,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) @@ -228,6 +245,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::kyber_decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -242,6 +260,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) @@ -253,10 +273,10 @@ macro_rules! instantiate { /// An Unpacked ML-KEM 1024 Public key pub type MlKem1024PublicKeyUnpacked = - p::unpacked::MlKemPublicKeyUnpacked; + p::unpacked::MlKemPublicKeyUnpacked; /// Am Unpacked ML-KEM 1024 Key pair - pub type MlKem1024KeyPairUnpacked = p::unpacked::MlKemKeyPairUnpacked; + pub type MlKem1024KeyPairUnpacked = p::unpacked::MlKemKeyPairUnpacked; #[cfg(feature = "pqcp")] crate::pqcp::pqcp_unpacked_api!( @@ -319,7 +339,7 @@ macro_rules! instantiate { /// Get an unpacked key from a private key. pub fn key_pair_from_private_mut(private_key: &MlKem1024PrivateKey, key_pair: &mut MlKem1024KeyPairUnpacked) { - p::unpacked::keypair_from_private_key::(private_key, key_pair); + p::unpacked::keypair_from_private_key::(private_key, key_pair); } /// Get the unpacked public key. @@ -328,7 +348,8 @@ macro_rules! instantiate { unpacked_public_key: &mut MlKem1024PublicKeyUnpacked, ) { p::unpacked::unpack_public_key::< - RANK, + RANK, + RANK_SQUARED, T_AS_NTT_ENCODED_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, >(public_key, unpacked_public_key) @@ -350,12 +371,14 @@ macro_rules! instantiate { key_pair: &mut MlKem1024KeyPairUnpacked, ) { p::unpacked::generate_keypair::< - RANK, + RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, key_pair) } @@ -385,7 +408,8 @@ macro_rules! instantiate { randomness: [u8; SHARED_SECRET_SIZE], ) -> (MlKem1024Ciphertext, MlKemSharedSecret) { p::unpacked::encapsulate::< - RANK, + RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -398,6 +422,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -412,7 +438,8 @@ macro_rules! instantiate { ciphertext: &MlKem1024Ciphertext, ) -> MlKemSharedSecret { p::unpacked::decapsulate::< - RANK, + RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -427,6 +454,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) @@ -483,11 +512,13 @@ pub fn generate_key_pair( ) -> MlKemKeyPair { multiplexing::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -509,6 +540,7 @@ pub fn encapsulate( ) -> (MlKem1024Ciphertext, MlKemSharedSecret) { multiplexing::encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -521,6 +553,8 @@ pub fn encapsulate( ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -540,6 +574,7 @@ pub fn decapsulate( ) -> MlKemSharedSecret { multiplexing::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -554,6 +589,8 @@ pub fn decapsulate( ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -628,12 +665,14 @@ pub(crate) mod kyber { ) -> MlKemKeyPair { multiplexing::kyber_generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, - >(randomness) + PRF_OUTPUT_SIZE1, + >(&randomness) } /// Encapsulate Kyber 1024 @@ -647,6 +686,7 @@ pub(crate) mod kyber { ) -> (MlKem1024Ciphertext, MlKemSharedSecret) { multiplexing::kyber_encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -659,7 +699,9 @@ pub(crate) mod kyber { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, - >(public_key, randomness) + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, + >(public_key, &randomness) } /// Decapsulate Kyber 1024 @@ -673,6 +715,7 @@ pub(crate) mod kyber { ) -> MlKemSharedSecret { multiplexing::kyber_decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -687,6 +730,8 @@ pub(crate) mod kyber { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs index 75fb915d3..77fbf3c4b 100644 --- a/libcrux-ml-kem/src/mlkem512.rs +++ b/libcrux-ml-kem/src/mlkem512.rs @@ -2,6 +2,7 @@ use super::{constants::*, ind_cca::*, types::*, *}; const RANK: usize = 2; +const RANK_SQUARED: usize = RANK * RANK; #[cfg(any(feature = "incremental", eurydice))] const RANKED_BYTES_PER_RING_ELEMENT: usize = RANK * BITS_PER_RING_ELEMENT / 8; const T_AS_NTT_ENCODED_SIZE: usize = @@ -24,6 +25,9 @@ const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; const ETA2: usize = 2; const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; +const PRF_OUTPUT_SIZE1: usize = ETA1_RANDOMNESS_SIZE * RANK; +const PRF_OUTPUT_SIZE2: usize = ETA2_RANDOMNESS_SIZE * RANK; + const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE; /// The ML-KEM 512 algorithms @@ -102,11 +106,13 @@ macro_rules! instantiate { ) -> MlKem512KeyPair { p::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -117,13 +123,15 @@ macro_rules! instantiate { pub fn kyber_generate_key_pair( randomness: [u8; KEY_GENERATION_SEED_SIZE], ) -> MlKem512KeyPair { - p::kyber_generate_keypair::< + p::kyber_generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -136,10 +144,9 @@ macro_rules! instantiate { public_key: &MlKem512PublicKey, randomness: [u8; SHARED_SECRET_SIZE], ) -> (MlKem512Ciphertext, MlKemSharedSecret) { - - p::encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -152,8 +159,9 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) - } /// Encapsulate Kyber 512 @@ -169,6 +177,7 @@ macro_rules! instantiate { ) -> (MlKem512Ciphertext, MlKemSharedSecret) { p::kyber_encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -181,6 +190,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -194,6 +205,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -208,6 +220,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) @@ -225,6 +239,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::kyber_decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -239,6 +254,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -248,9 +265,10 @@ macro_rules! instantiate { use super::*; /// An Unpacked ML-KEM 512 Public key - pub type MlKem512PublicKeyUnpacked = p::unpacked::MlKemPublicKeyUnpacked; + pub type MlKem512PublicKeyUnpacked = p::unpacked::MlKemPublicKeyUnpacked; + /// Am Unpacked ML-KEM 512 Key pair - pub type MlKem512KeyPairUnpacked = p::unpacked::MlKemKeyPairUnpacked; + pub type MlKem512KeyPairUnpacked = p::unpacked::MlKemKeyPairUnpacked; #[cfg(feature = "pqcp")] crate::pqcp::pqcp_unpacked_api!( @@ -313,7 +331,7 @@ macro_rules! instantiate { /// Get an unpacked key from a private key. pub fn key_pair_from_private_mut(private_key: &MlKem512PrivateKey, key_pair: &mut MlKem512KeyPairUnpacked) { - p::unpacked::keypair_from_private_key::(private_key, key_pair); + p::unpacked::keypair_from_private_key::(private_key, key_pair); } /// Get the unpacked public key. @@ -323,6 +341,7 @@ macro_rules! instantiate { ) { p::unpacked::unpack_public_key::< RANK, + RANK_SQUARED, T_AS_NTT_ENCODED_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, >(public_key, unpacked_public_key) @@ -342,13 +361,15 @@ macro_rules! instantiate { randomness: [u8; KEY_GENERATION_SEED_SIZE], key_pair: &mut MlKem512KeyPairUnpacked, ) { - p::unpacked::generate_keypair::< - RANK, - CPA_PKE_SECRET_KEY_SIZE, - SECRET_KEY_SIZE, - CPA_PKE_PUBLIC_KEY_SIZE, - ETA1, - ETA1_RANDOMNESS_SIZE, + p::unpacked::generate_keypair::< + RANK, + RANK_SQUARED, + CPA_PKE_SECRET_KEY_SIZE, + SECRET_KEY_SIZE, + CPA_PKE_PUBLIC_KEY_SIZE, + ETA1, + ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, key_pair); } @@ -376,7 +397,8 @@ macro_rules! instantiate { randomness: [u8; SHARED_SECRET_SIZE], ) -> (MlKem512Ciphertext, MlKemSharedSecret) { p::unpacked::encapsulate::< - RANK, + RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -389,6 +411,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -404,6 +428,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::unpacked::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -418,6 +443,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) @@ -472,11 +499,13 @@ pub fn validate_private_key( pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair { multiplexing::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -498,6 +527,7 @@ pub fn encapsulate( ) -> (MlKem512Ciphertext, MlKemSharedSecret) { multiplexing::encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -510,6 +540,8 @@ pub fn encapsulate( ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -529,6 +561,7 @@ pub fn decapsulate( ) -> MlKemSharedSecret { multiplexing::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -543,6 +576,8 @@ pub fn decapsulate( ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -615,12 +650,14 @@ pub(crate) mod kyber { pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair { multiplexing::kyber_generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, - >(randomness) + PRF_OUTPUT_SIZE1, + >(&randomness) } /// Encapsulate Kyber 512 @@ -634,6 +671,7 @@ pub(crate) mod kyber { ) -> (MlKem512Ciphertext, MlKemSharedSecret) { multiplexing::kyber_encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -646,7 +684,9 @@ pub(crate) mod kyber { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, - >(public_key, randomness) + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, + >(public_key, &randomness) } /// Decapsulate Kyber 512 @@ -660,6 +700,7 @@ pub(crate) mod kyber { ) -> MlKemSharedSecret { multiplexing::kyber_decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -674,6 +715,8 @@ pub(crate) mod kyber { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs index f6a130a4a..8e991595b 100644 --- a/libcrux-ml-kem/src/mlkem768.rs +++ b/libcrux-ml-kem/src/mlkem768.rs @@ -3,6 +3,7 @@ use super::{constants::*, ind_cca::*, types::*, *}; const RANK: usize = 3; +const RANK_SQUARED: usize = RANK * RANK; #[cfg(any(feature = "incremental", eurydice))] const RANKED_BYTES_PER_RING_ELEMENT: usize = RANK * BITS_PER_RING_ELEMENT / 8; const T_AS_NTT_ENCODED_SIZE: usize = @@ -31,6 +32,9 @@ const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; const ETA2: usize = 2; const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; +const PRF_OUTPUT_SIZE1: usize = ETA1_RANDOMNESS_SIZE * RANK; +const PRF_OUTPUT_SIZE2: usize = ETA2_RANDOMNESS_SIZE * RANK; + const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE; /// The ML-KEM 768 algorithms @@ -107,11 +111,13 @@ macro_rules! instantiate { ) -> MlKem768KeyPair { p::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -123,11 +129,13 @@ macro_rules! instantiate { ) -> MlKem768KeyPair { p::kyber_generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -142,6 +150,7 @@ macro_rules! instantiate { ) -> (MlKem768Ciphertext, MlKemSharedSecret) { p::encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -154,6 +163,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -170,6 +181,7 @@ macro_rules! instantiate { ) -> (MlKem768Ciphertext, MlKemSharedSecret) { p::kyber_encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -182,6 +194,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -195,6 +209,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -209,6 +224,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -225,6 +242,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::kyber_decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -239,6 +257,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -248,10 +268,10 @@ macro_rules! instantiate { use super::*; /// An Unpacked ML-KEM 768 Public key - pub type MlKem768PublicKeyUnpacked = p::unpacked::MlKemPublicKeyUnpacked; + pub type MlKem768PublicKeyUnpacked = p::unpacked::MlKemPublicKeyUnpacked; /// Am Unpacked ML-KEM 768 Key pair - pub type MlKem768KeyPairUnpacked = p::unpacked::MlKemKeyPairUnpacked; + pub type MlKem768KeyPairUnpacked = p::unpacked::MlKemKeyPairUnpacked; #[cfg(feature = "pqcp")] crate::pqcp::pqcp_unpacked_api!( @@ -309,7 +329,7 @@ macro_rules! instantiate { /// Get an unpacked key from a private key. pub fn key_pair_from_private_mut(private_key: &MlKem768PrivateKey, key_pair: &mut MlKem768KeyPairUnpacked) { - p::unpacked::keypair_from_private_key::(private_key, key_pair); + p::unpacked::keypair_from_private_key::(private_key, key_pair); } /// Get the unpacked public key. @@ -323,7 +343,8 @@ macro_rules! instantiate { unpacked_public_key: &mut MlKem768PublicKeyUnpacked ) { p::unpacked::unpack_public_key::< - RANK, + RANK, + RANK_SQUARED, T_AS_NTT_ENCODED_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, >(public_key, unpacked_public_key) @@ -345,11 +366,13 @@ macro_rules! instantiate { ) { p::unpacked::generate_keypair::< RANK, +RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(randomness, key_pair); } @@ -377,6 +400,7 @@ macro_rules! instantiate { ) -> (MlKem768Ciphertext, MlKemSharedSecret) { p::unpacked::encapsulate::< RANK, +RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -389,6 +413,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -403,6 +429,7 @@ macro_rules! instantiate { ) -> MlKemSharedSecret { p::unpacked::decapsulate::< RANK, +RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -417,6 +444,8 @@ macro_rules! instantiate { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -465,11 +494,13 @@ pub fn validate_private_key( pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair { multiplexing::generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, >(&randomness) } @@ -485,6 +516,7 @@ pub fn encapsulate( ) -> (MlKem768Ciphertext, MlKemSharedSecret) { multiplexing::encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -497,6 +529,8 @@ pub fn encapsulate( ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, >(public_key, &randomness) } @@ -511,6 +545,7 @@ pub fn decapsulate( ) -> MlKemSharedSecret { multiplexing::decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -525,6 +560,8 @@ pub fn decapsulate( ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } @@ -597,12 +634,14 @@ pub(crate) mod kyber { pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair { multiplexing::kyber_generate_keypair::< RANK, + RANK_SQUARED, CPA_PKE_SECRET_KEY_SIZE, SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, ETA1, ETA1_RANDOMNESS_SIZE, - >(randomness) + PRF_OUTPUT_SIZE1, + >(&randomness) } /// Encapsulate Kyber 768 @@ -616,6 +655,7 @@ pub(crate) mod kyber { ) -> (MlKem768Ciphertext, MlKemSharedSecret) { multiplexing::kyber_encapsulate::< RANK, + RANK_SQUARED, CPA_PKE_CIPHERTEXT_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, T_AS_NTT_ENCODED_SIZE, @@ -628,7 +668,9 @@ pub(crate) mod kyber { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, - >(public_key, randomness) + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, + >(public_key, &randomness) } /// Decapsulate ML-KEM 768 @@ -641,6 +683,7 @@ pub(crate) mod kyber { ) -> MlKemSharedSecret { multiplexing::kyber_decapsulate::< RANK, + RANK_SQUARED, SECRET_KEY_SIZE, CPA_PKE_SECRET_KEY_SIZE, CPA_PKE_PUBLIC_KEY_SIZE, @@ -655,6 +698,8 @@ pub(crate) mod kyber { ETA1_RANDOMNESS_SIZE, ETA2, ETA2_RANDOMNESS_SIZE, + PRF_OUTPUT_SIZE1, + PRF_OUTPUT_SIZE2, IMPLICIT_REJECTION_HASH_INPUT_SIZE, >(private_key, ciphertext) } diff --git a/libcrux-ml-kem/src/ntt.rs b/libcrux-ml-kem/src/ntt.rs index eb388e18e..18c786ff8 100644 --- a/libcrux-ml-kem/src/ntt.rs +++ b/libcrux-ml-kem/src/ntt.rs @@ -1,7 +1,7 @@ use crate::{ hax_utils::hax_debug_assert, polynomial::{zeta, PolynomialRingElement, VECTORS_IN_RING_ELEMENT}, - vector::Operations, + vector::{traits::montgomery_multiply_fe, Operations}, }; #[inline(always)] @@ -13,7 +13,7 @@ use crate::{ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ]))"# )] #[hax_lib::fstar::before( interface, @@ -22,7 +22,7 @@ use crate::{ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ]))"# )] #[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 63 /\ ntt_re_range_2 $re"#))] @@ -42,19 +42,19 @@ pub(crate) fn ntt_at_layer_1( r#"v zeta_i == v $_zeta_i_init + v $round * 4 /\ (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))) /\ (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))"# ) }); *zeta_i += 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); - re.coefficients[round] = Vector::ntt_layer_1_step( - re.coefficients[round], + Vector::ntt_layer_1_step( + &mut re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i + 1), zeta(*zeta_i + 2), @@ -64,11 +64,11 @@ pub(crate) fn ntt_at_layer_1( hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); hax_lib::fstar!( "assert (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ $round ])))" ); } } @@ -82,7 +82,7 @@ pub(crate) fn ntt_at_layer_1( {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ]))"# )] #[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 31 /\ ntt_re_range_3 $re"#))] @@ -102,28 +102,32 @@ pub(crate) fn ntt_at_layer_2( r#"v zeta_i == v $_zeta_i_init + v $round * 2 /\ (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))) /\ (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))"# ) }); *zeta_i += 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# + ); + + Vector::ntt_layer_2_step( + &mut re.coefficients[round], + zeta(*zeta_i), + zeta(*zeta_i + 1), ); - re.coefficients[round] = - Vector::ntt_layer_2_step(re.coefficients[round], zeta(*zeta_i), zeta(*zeta_i + 1)); *zeta_i += 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); hax_lib::fstar!( "assert (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ $round ])))" ); } } @@ -137,7 +141,7 @@ pub(crate) fn ntt_at_layer_2( {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ]))"# )] #[hax_lib::requires(fstar!(r#"v ${*zeta_i} == 15 /\ ntt_re_range_4 $re"#))] @@ -157,50 +161,59 @@ pub(crate) fn ntt_at_layer_3( r#"v zeta_i == v $_zeta_i_init + v $round /\ (v round < 16 ==> (forall (i:nat). (i >= v round /\ i < 16) ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))) /\ (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ sz i ])))"# ) }); *zeta_i += 1; hax_lib::fstar!( r#"reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"# + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))"# ); - re.coefficients[round] = Vector::ntt_layer_3_step(re.coefficients[round], zeta(*zeta_i)); + Vector::ntt_layer_3_step(&mut re.coefficients[round], zeta(*zeta_i)); hax_lib::fstar!( "reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ round ])))" ); hax_lib::fstar!( "assert (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))" + (Libcrux_ml_kem.Vector.Traits.f_repr (re.f_coefficients.[ $round ])))" ); } } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta_r /\ - (let t = ${Vector::montgomery_multiply_by_constant} $b $zeta_r in + v $a < 16 /\ v $b < 16 /\ + (let vec_a = Seq.index $coefficients (v $a) in + let vec_b = Seq.index $coefficients (v $b) in + let t = i0.f_montgomery_multiply_by_constant vec_b $zeta_r in (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ + (v (Seq.index (i0._super_6081346371236564305.f_repr vec_a) i) - + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr t) i))) /\ (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"#))] + (v (Seq.index (i0._super_6081346371236564305.f_repr vec_a) i) + + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr t) i))))"#))] fn ntt_layer_int_vec_step( - mut a: Vector, - mut b: Vector, + coefficients: &mut [Vector; VECTORS_IN_RING_ELEMENT], + a: usize, + b: usize, + scratch: &mut Vector, zeta_r: i16, -) -> (Vector, Vector) { - let t = Vector::montgomery_multiply_by_constant(b, zeta_r); - b = Vector::sub(a, &t); - a = Vector::add(a, &t); - (a, b) +) { + // XXX: The following copies should be explicit clones, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copies until a Eurydice issue is resolved. + *scratch = coefficients[b]; //.clone(); + montgomery_multiply_fe::(scratch, zeta_r); + coefficients[b] = coefficients[a]; //.clone(); + Vector::add(&mut coefficients[a], scratch); + Vector::sub(&mut coefficients[b], scratch); } #[inline(always)] @@ -219,26 +232,26 @@ pub(crate) fn ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, layer: usize, + scratch: &mut Vector, _initial_coefficient_bound: usize, // This can be used for specifying the range of values allowed in re ) { let step = 1 << layer; - + let step_vec = step / 16; //FIELD_ELEMENTS_IN_VECTOR; let _zeta_i_init = *zeta_i; + for round in 0..(128 >> layer) { *zeta_i += 1; - let offset = round * step * 2; - let offset_vec = offset / 16; //FIELD_ELEMENTS_IN_VECTOR; - let step_vec = step / 16; //FIELD_ELEMENTS_IN_VECTOR; - - for j in offset_vec..offset_vec + step_vec { - let (x, y) = ntt_layer_int_vec_step( - re.coefficients[j], - re.coefficients[j + step_vec], + let a_offset = round * 2 * step_vec; + let b_offset = a_offset + step_vec; + for j in 0..step_vec { + ntt_layer_int_vec_step( + &mut re.coefficients, + a_offset + j, + b_offset + j, + scratch, zeta(*zeta_i), ); - re.coefficients[j] = x; - re.coefficients[j + step_vec] = y; } } } @@ -254,20 +267,23 @@ pub(crate) fn ntt_at_layer_4_plus( (re_0 re_1: v_Vector) = (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v ((mk_i16 (-1600))))) /\ + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr re_1) i) * v ((mk_i16 (-1600))))) /\ (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 ((mk_i16 (-1600))) in (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr re_0) i) - + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr t) i))) /\ (forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"# + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr re_0) i) + + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_repr t) i))))"# )] #[hax_lib::requires(fstar!(r#"forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ]) (${re}.f_coefficients.[ sz i +! sz 8 ])"#))] -pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement) { +pub(crate) fn ntt_at_layer_7( + re: &mut PolynomialRingElement, + scratch: &mut Vector, +) { let step = VECTORS_IN_RING_ELEMENT / 2; hax_lib::fstar!(r#"assert (v $step == 8)"#); for j in 0..step { @@ -279,9 +295,15 @@ pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement< ) }); hax_lib::fstar!(r#"reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)"#); - let t = Vector::multiply_by_constant(re.coefficients[j + step], -1600); - re.coefficients[j + step] = Vector::sub(re.coefficients[j], &t); - re.coefficients[j] = Vector::add(re.coefficients[j], &t); + + // XXX: The following copies should be explicit clones, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copies until a Eurydice issue is resolved. + *scratch = re.coefficients[j + step]; //.clone(); + Vector::multiply_by_constant(scratch, -1600); + re.coefficients[j + step] = re.coefficients[j]; //.clone(); + Vector::add(&mut re.coefficients[j], scratch); + Vector::sub(&mut re.coefficients[j + step], scratch); } } @@ -296,15 +318,16 @@ pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement< Libcrux_ml_kem.Polynomial.is_bounded_poly #$:Vector 3328 ${re}_future"#))] pub(crate) fn ntt_binomially_sampled_ring_element( re: &mut PolynomialRingElement, + scratch: &mut Vector, ) { // Due to the small coefficient bound, we can skip the first round of // Montgomery reductions. - ntt_at_layer_7(re); + ntt_at_layer_7(re, scratch); let mut zeta_i = 1; - ntt_at_layer_4_plus(&mut zeta_i, re, 6, 11207); - ntt_at_layer_4_plus(&mut zeta_i, re, 5, 11207 + 3328); - ntt_at_layer_4_plus(&mut zeta_i, re, 4, 11207 + 2 * 3328); + ntt_at_layer_4_plus(&mut zeta_i, re, 6, scratch, 11207); + ntt_at_layer_4_plus(&mut zeta_i, re, 5, scratch, 11207 + 3328); + ntt_at_layer_4_plus(&mut zeta_i, re, 4, scratch, 11207 + 2 * 3328); ntt_at_layer_3(&mut zeta_i, re, 11207 + 3 * 3328); ntt_at_layer_2(&mut zeta_i, re, 11207 + 4 * 3328); ntt_at_layer_1(&mut zeta_i, re, 11207 + 5 * 3328); @@ -319,6 +342,7 @@ pub(crate) fn ntt_binomially_sampled_ring_element( Spec.MLKEM.poly_ntt (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#))] pub(crate) fn ntt_vector_u( re: &mut PolynomialRingElement, + scratch: &mut Vector, ) { hax_debug_assert!(to_i16_array(re) .into_iter() @@ -326,10 +350,10 @@ pub(crate) fn ntt_vector_u to_spec_poly_t #v_Vector (m.[i])) let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) + (m:t_Array (t_PolynomialRingElement v_Vector) (r *! r)) : Spec.MLKEM.matrix r = + createi r (fun i -> to_spec_vector_t #r #v_Vector (Seq.slice m (v r * v i) (v r * v i + v r))) let is_bounded_vector (#v_Vector: Type0) {| i0: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (bound: nat) (x: v_Vector) = Spec.Utils.is_i16b_array bound (i0.f_to_i16_array x) + (bound: nat) (x: v_Vector) = Spec.Utils.is_i16b_array bound (i0._super_6081346371236564305.f_repr x) let is_bounded_poly (#v_Vector: Type0) {| i0: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -63,23 +63,12 @@ pub(crate) struct PolynomialRingElement { pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT], } -#[allow(non_snake_case)] -fn ZERO() -> PolynomialRingElement { - PolynomialRingElement { - // https://github.com/hacspec/hax/issues/27 - // FIXME: The THIR body of item DefId(0:415 ~ libcrux_ml_kem[9000]::polynomial::{impl#0}::ZERO::{constant#0}) was stolen. - coefficients: [Vector::ZERO(); 16], - } -} - #[inline(always)] #[hax_lib::requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())] -fn from_i16_array(a: &[i16]) -> PolynomialRingElement { - let mut result = ZERO(); +fn from_i16_array(a: &[i16], result: &mut PolynomialRingElement) { for i in 0..VECTORS_IN_RING_ELEMENT { - result.coefficients[i] = Vector::from_i16_array(&a[i * 16..(i + 1) * 16]); + Vector::from_i16_array(&a[i * 16..(i + 1) * 16], &mut result.coefficients[i]); } - result } #[allow(dead_code)] @@ -91,18 +80,16 @@ fn to_i16_array(re: PolynomialRingElement, out: &mut for i in 0..re.coefficients.len() { hax_lib::loop_invariant!(|_i: usize| out.len() == _out_len); - out[i * 16..(i + 1) * 16].copy_from_slice(&Vector::to_i16_array(re.coefficients[i])); + Vector::to_i16_array(&re.coefficients[i], &mut out[i * 16..(i + 1) * 16]); } } #[inline(always)] #[hax_lib::requires(VECTORS_IN_RING_ELEMENT * 16 *2 <= bytes.len())] -fn from_bytes(bytes: &[u8]) -> PolynomialRingElement { - let mut result = ZERO(); +fn from_bytes(bytes: &[u8], result: &mut PolynomialRingElement) { for i in 0..VECTORS_IN_RING_ELEMENT { - result.coefficients[i] = Vector::from_bytes(&bytes[i * 32..(i + 1) * 32]); + Vector::from_bytes(&bytes[i * 32..(i + 1) * 32], &mut result.coefficients[i]); } - result } #[inline(always)] @@ -113,6 +100,9 @@ fn to_bytes(re: PolynomialRingElement, out: &mut [u8 for i in 0..re.coefficients.len() { hax_lib::loop_invariant!(|_i: usize| out.len() == _out_len); + // XXX: The following copy should be an explicit clone, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copiy until a Eurydice issue is resolved. Vector::to_bytes(re.coefficients[i], &mut out[i * 32..(i + 1) * 32]); } } @@ -131,7 +121,8 @@ pub(crate) fn vec_to_bytes( let re_bytes = PolynomialRingElement::::num_bytes(); for i in 0..re.len() { hax_lib::loop_invariant!(|_i: usize| out.len() == _out_len); - PolynomialRingElement::::to_bytes(re[i], &mut out[i * re_bytes..]); + // XXX: Making the clone explicit, since we would like to drop `Vector: Copy` in the future. + PolynomialRingElement::::to_bytes(re[i].clone(), &mut out[i * re_bytes..]); } } @@ -152,7 +143,7 @@ pub(crate) fn vec_from_bytes( let re_bytes = PolynomialRingElement::::num_bytes(); for i in 0..out.len() { hax_lib::loop_invariant!(|_i: usize| out.len() == _out_len); - out[i] = PolynomialRingElement::::from_bytes(&bytes[i * re_bytes..]); + PolynomialRingElement::::from_bytes(&bytes[i * re_bytes..], &mut out[i]); } } @@ -166,17 +157,17 @@ pub(crate) const fn vec_len_bytes() -> usize /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise /// sum of their constituent coefficients. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 500 --split_queries always")] +#[hax_lib::fstar::options("--z3rlimit 600 --split_queries always")] #[hax_lib::requires(fstar!(r#" forall (i:nat). i < v ${VECTORS_IN_RING_ELEMENT} ==> - (let lhs_i = i0.f_to_i16_array (${myself}.f_coefficients.[ sz i ]) in - let rhs_i = i0.f_to_i16_array (${rhs}.f_coefficients.[ sz i ]) in + (let lhs_i = i0._super_6081346371236564305.f_repr (${myself}.f_coefficients.[ sz i ]) in + let rhs_i = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ sz i ]) in Libcrux_ml_kem.Vector.Traits.Spec.add_pre lhs_i rhs_i)"#))] #[hax_lib::ensures(|_| fstar!(r#" forall (i:nat). i < v ${VECTORS_IN_RING_ELEMENT} ==> - (let lhs_i = i0.f_to_i16_array (${myself}.f_coefficients.[ sz i ]) in - let rhs_i = i0.f_to_i16_array (${rhs}.f_coefficients.[ sz i ]) in - let result_i = i0.f_to_i16_array (${myself}_future.f_coefficients.[ sz i ]) in + (let lhs_i = i0._super_6081346371236564305.f_repr (${myself}.f_coefficients.[ sz i ]) in + let rhs_i = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ sz i ]) in + let result_i = i0._super_6081346371236564305.f_repr (${myself}_future.f_coefficients.[ sz i ]) in Libcrux_ml_kem.Vector.Traits.Spec.add_post lhs_i rhs_i result_i)"#))] fn add_to_ring_element( myself: &mut PolynomialRingElement, @@ -186,7 +177,7 @@ fn add_to_ring_element( let _myself = myself.coefficients; hax_lib::fstar!( r#"assert(forall (v: v_Vector). - i0.f_to_i16_array v == i0._super_6081346371236564305.f_repr v)"# + i0._super_6081346371236564305.f_repr v == i0._super_6081346371236564305.f_repr v)"# ); for i in 0..myself.coefficients.len() { @@ -195,24 +186,31 @@ fn add_to_ring_element( r#" v $i <= v ${VECTORS_IN_RING_ELEMENT} /\ (forall (j:nat). (j >= v $i /\ j < v ${VECTORS_IN_RING_ELEMENT}) ==> - (let _myself_j = i0.f_to_i16_array (${_myself}.[ sz j ]) in - let myself_j = i0.f_to_i16_array (${myself}.f_coefficients.[ sz j ]) in - let rhs_j = i0.f_to_i16_array (${rhs}.f_coefficients.[ sz j ]) in + (let _myself_j = i0._super_6081346371236564305.f_repr (${_myself}.[ sz j ]) in + let myself_j = i0._super_6081346371236564305.f_repr (${myself}.f_coefficients.[ sz j ]) in + let rhs_j = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ sz j ]) in myself_j == _myself_j /\ Libcrux_ml_kem.Vector.Traits.Spec.add_pre myself_j rhs_j)) /\ (forall (j:nat). j < v $i ==> - (let _myself_j = i0.f_to_i16_array (${_myself}.[ sz j ]) in - let myself_j = i0.f_to_i16_array (${myself}.f_coefficients.[ sz j ]) in - let rhs_j = i0.f_to_i16_array (${rhs}.f_coefficients.[ sz j ]) in + (let _myself_j = i0._super_6081346371236564305.f_repr (${_myself}.[ sz j ]) in + let myself_j = i0._super_6081346371236564305.f_repr (${myself}.f_coefficients.[ sz j ]) in + let rhs_j = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ sz j ]) in Libcrux_ml_kem.Vector.Traits.Spec.add_post _myself_j rhs_j myself_j))"# ) }); + Vector::add(&mut myself.coefficients[i], &rhs.coefficients[i]); - myself.coefficients[i] = Vector::add(myself.coefficients[i], &rhs.coefficients[i]); + hax_lib::fstar!( + r#"assert(let _myself_j = i0._super_6081346371236564305.f_repr (${_myself}.[ i ]) in + let myself_j = i0._super_6081346371236564305.f_repr (${myself}.f_coefficients.[ i ]) in + let rhs_j = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ i ]) in + Libcrux_ml_kem.Vector.Traits.Spec.add_post _myself_j rhs_j myself_j)"# + ); } } #[inline(always)] +#[hax_lib::fstar::options("--z3rlimit 600")] #[hax_lib::requires(fstar!(r#"is_bounded_poly 28296 ${myself}"#))] #[hax_lib::ensures(|_| fstar!(r#"is_bounded_poly 3328 ${myself}_future"#))] fn poly_barrett_reduce(myself: &mut PolynomialRingElement) { @@ -227,18 +225,18 @@ fn poly_barrett_reduce(myself: &mut PolynomialRingElement( myself: &PolynomialRingElement, - mut b: PolynomialRingElement, -) -> PolynomialRingElement { + b: &mut PolynomialRingElement, +) { #[cfg(hax)] let _b = b.coefficients; @@ -259,46 +257,45 @@ fn subtract_reduce( "# ); - let coefficient_normal_form = - Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441); - + Vector::montgomery_multiply_by_constant(&mut b.coefficients[i], 1441); hax_lib::fstar!( r#" - assert (is_bounded_vector 3328 ${coefficient_normal_form}); + assert (is_bounded_vector 3328 ${b}.f_coefficients.[ i ]); assert (is_bounded_vector (pow2 12 - 1) (${myself}.f_coefficients.[ i ])); assert_norm (pow2 12 - 1 == 4095); Spec.Utils.lemma_sub_intb_forall 4095 3328; assert (forall j. Spec.Utils.is_intb 7423 - (v (Seq.index (i0.f_to_i16_array ${myself}.f_coefficients.[ i ]) j) - - v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) j))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${b}.f_coefficients.[ i ]) j) - + v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ i ]) j))); assert_norm (7423 <= pow2 15 - 1); Spec.Utils.lemma_intb_le 7423 (pow2 15 - 1); Spec.Utils.lemma_intb_le 7423 28296; assert (forall j. Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (i0.f_to_i16_array ${myself}.f_coefficients.[ i ]) j) - - v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) j))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${b}.f_coefficients.[ i ]) j) - + v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ i ]) j))); assert (forall j. Spec.Utils.is_intb 28296 - (v (Seq.index (i0.f_to_i16_array ${myself}.f_coefficients.[ i ]) j) - - v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) j))) + (v (Seq.index (i0._super_6081346371236564305.f_repr ${b}.f_coefficients.[ i ]) j) - + v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ i ]) j))) "# ); - let diff = Vector::sub(myself.coefficients[i], &coefficient_normal_form); - hax_lib::fstar!("assert (is_bounded_vector 28296 diff)"); - let red = Vector::barrett_reduce(diff); - hax_lib::fstar!("assert (is_bounded_vector 3328 red)"); - b.coefficients[i] = red; + Vector::sub(&mut b.coefficients[i], &myself.coefficients[i]); + hax_lib::fstar!("assert (is_bounded_vector 28296 ${b}.f_coefficients.[ i ])"); + hax_lib::fstar!("assert (is_bounded_vector (pow2 15 - 1) ${b}.f_coefficients.[ i ])"); + Vector::negate(&mut b.coefficients[i]); + hax_lib::fstar!("assert (is_bounded_vector 28296 ${b}.f_coefficients.[ i ])"); + + Vector::barrett_reduce(&mut b.coefficients[i]); + hax_lib::fstar!("assert (is_bounded_vector 3328 ${b}.f_coefficients.[ i ])"); hax_lib::fstar!( r#" assert (forall j. (j > v $i /\ j < 16) ==> ${b}.f_coefficients.[ sz j ] == ${_b}.[ sz j]); assert (forall j. j < v $i ==> is_bounded_vector 3328 ${b}.f_coefficients.[ sz j ]); - assert (${b}.f_coefficients.[ $i ] == ${red}); assert (forall j. j <= v $i ==> is_bounded_vector 3328 ${b}.f_coefficients.[ sz j ]) "# ); } - b } #[inline(always)] @@ -306,15 +303,17 @@ fn subtract_reduce( #[hax_lib::requires(fstar!(r#" is_bounded_poly 3328 ${myself} /\ is_bounded_poly 3328 ${message}"#))] -#[hax_lib::ensures(|output| fstar!("is_bounded_poly 3328 ${output}"))] +#[hax_lib::ensures(|_| fstar!("is_bounded_poly 3328 ${result}_future"))] fn add_message_error_reduce( myself: &PolynomialRingElement, message: &PolynomialRingElement, - mut result: PolynomialRingElement, -) -> PolynomialRingElement { + result: &mut PolynomialRingElement, + scratch: &mut Vector, +) { #[cfg(hax)] let _result = result.coefficients; + // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting for i in 0..VECTORS_IN_RING_ELEMENT { hax_lib::loop_invariant!(|i: usize| fstar!( r#" @@ -333,8 +332,7 @@ fn add_message_error_reduce( "# ); - let coefficient_normal_form = - Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441); + Vector::montgomery_multiply_by_constant(&mut result.coefficients[i], 1441); hax_lib::fstar!( r#" @@ -342,16 +340,20 @@ fn add_message_error_reduce( assert (6656 <= (pow2 15 - 1)); Spec.Utils.lemma_intb_le 6656 (pow2 15 - 1); assert (forall j. Spec.Utils.is_intb 6656 - (v (Seq.index (i0.f_to_i16_array ${myself}.f_coefficients.[ i ]) j) + - v (Seq.index (i0.f_to_i16_array ${message}.f_coefficients.[ i ]) j))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ i ]) j) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${message}.f_coefficients.[ i ]) j))); assert (forall j. Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (i0.f_to_i16_array ${myself}.f_coefficients.[ i ]) j) + - v (Seq.index (i0.f_to_i16_array ${message}.f_coefficients.[ i ]) j))) + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ i ]) j) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${message}.f_coefficients.[ i ]) j))) "# ); - - let sum1 = Vector::add(myself.coefficients[i], &message.coefficients[i]); - hax_lib::fstar!("assert(is_bounded_vector 6656 sum1)"); + // XXX: The following copy should be an explicit clone, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copy until a Eurydice issue is resolved. + // XXX: Need this copy? + *scratch = myself.coefficients[i]; //.clone(); + Vector::add(scratch, &message.coefficients[i]); + hax_lib::fstar!("assert(is_bounded_vector 6656 ${scratch})"); hax_lib::fstar!( r#" @@ -359,39 +361,37 @@ fn add_message_error_reduce( Spec.Utils.lemma_intb_le 9984 (pow2 15 - 1); Spec.Utils.lemma_intb_le 9984 28296; assert (forall j. Spec.Utils.is_intb 9984 - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) j) + - v (Seq.index (i0.f_to_i16_array ${sum1}) j))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${result}.f_coefficients.[ i ]) j) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${scratch}) j))); assert (forall j. Spec.Utils.is_intb 28296 - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) j) + - v (Seq.index (i0.f_to_i16_array ${sum1}) j))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${result}.f_coefficients.[ i ]) j) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${scratch}) j))); assert (forall j. Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) j) + - v (Seq.index (i0.f_to_i16_array ${sum1}) j))) + (v (Seq.index (i0._super_6081346371236564305.f_repr ${result}.f_coefficients.[ i ]) j) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${scratch}) j))) "# ); - let sum2 = Vector::add(coefficient_normal_form, &sum1); - hax_lib::fstar!("assert(is_bounded_vector 9984 sum2)"); - let red = Vector::barrett_reduce(sum2); - hax_lib::fstar!("assert(is_bounded_vector 3328 red)"); - result.coefficients[i] = red; + Vector::add(&mut result.coefficients[i], scratch); + hax_lib::fstar!("assert(is_bounded_vector 9984 ${result}.f_coefficients.[ i ])"); + + Vector::barrett_reduce(&mut result.coefficients[i]); + hax_lib::fstar!("assert(is_bounded_vector 3328 ${result}.f_coefficients.[ i ])"); hax_lib::fstar!( r#" assert (forall j. (j > v $i /\ j < 16) ==> ${result}.f_coefficients.[ sz j ] == ${_result}.[ sz j]); assert (forall j. j < v $i ==> is_bounded_vector 3328 ${result}.f_coefficients.[ sz j ]); - assert (${result}.f_coefficients.[ $i ] == ${red}); assert (forall j. j <= v $i ==> is_bounded_vector 3328 ${result}.f_coefficients.[ sz j ]) "# ); } - result } #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 400 --split_queries always")] #[hax_lib::requires(fstar!("is_bounded_poly 7 ${error}"))] -#[hax_lib::ensures(|result| fstar!(r#"is_bounded_poly 3328 ${myself}_future"#))] +#[hax_lib::ensures(|_| fstar!(r#"is_bounded_poly 3328 ${myself}_future"#))] fn add_error_reduce( myself: &mut PolynomialRingElement, error: &PolynomialRingElement, @@ -407,40 +407,38 @@ fn add_error_reduce( "# )); - let coefficient_normal_form = - Vector::montgomery_multiply_by_constant(myself.coefficients[j], 1441); + Vector::montgomery_multiply_by_constant(&mut myself.coefficients[j], 1441); hax_lib::fstar!( r#" - assert (is_bounded_vector 3328 ${coefficient_normal_form}); + assert (is_bounded_vector 3328 ${myself}.f_coefficients.[ j ]); assert (is_bounded_vector 7 (error.f_coefficients.[ j ])); Spec.Utils.lemma_add_intb_forall 3328 7; assert (forall i. Spec.Utils.is_intb 3335 - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) i) + - v (Seq.index (i0.f_to_i16_array ${error}.f_coefficients.[ j ]) i))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ j ]) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${error}.f_coefficients.[ j ]) i))); assert_norm (3335 <= pow2 15 - 1); Spec.Utils.lemma_intb_le 3335 (pow2 15 - 1); Spec.Utils.lemma_intb_le 3335 28296; assert (forall i. Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) i) + - v (Seq.index (i0.f_to_i16_array ${error}.f_coefficients.[ j ]) i))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ j ]) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${error}.f_coefficients.[ j ]) i))); assert (forall i. Spec.Utils.is_intb 28296 - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) i) + - v (Seq.index (i0.f_to_i16_array ${error}.f_coefficients.[ j ]) i))) + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ j ]) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${error}.f_coefficients.[ j ]) i))) "# ); - let sum = Vector::add(coefficient_normal_form, &error.coefficients[j]); - hax_lib::fstar!("assert(is_bounded_vector 3335 sum)"); - let red = Vector::barrett_reduce(sum); - hax_lib::fstar!("assert(is_bounded_vector 3328 red)"); - myself.coefficients[j] = red; + Vector::add(&mut myself.coefficients[j], &error.coefficients[j]); + hax_lib::fstar!("assert(is_bounded_vector 3335 ${myself}.f_coefficients.[ j ])"); + + Vector::barrett_reduce(&mut myself.coefficients[j]); + hax_lib::fstar!("assert(is_bounded_vector 3328 ${myself}.f_coefficients.[ j ])"); hax_lib::fstar!( r#" - assert (forall i. (i > v $j /\ i < 16) ==> ${myself}.f_coefficients.[ sz i ] == ${_myself}.[ sz i]); + assert (forall i. (i > v $j /\ i < 16) ==> ${myself}.f_coefficients.[ sz i ] == ${_myself}.[ sz i ]); assert (forall i. i < v $j ==> is_bounded_vector 3328 ${myself}.f_coefficients.[ sz i ]); - assert (${myself}.f_coefficients.[ $j ] == ${red}); assert (forall i. i <= v $j ==> is_bounded_vector 3328 ${myself}.f_coefficients.[ sz i ]) "# ); @@ -448,17 +446,17 @@ fn add_error_reduce( } #[inline(always)] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (i0.f_to_i16_array ${result}) /\ - (forall i. i < 16 ==> ((v (Seq.index (i0.f_to_i16_array ${result}) i) % 3329)== - (v (Seq.index (i0.f_to_i16_array ${vector}) i) * 1353 * 169) % 3329))"#))] -fn to_standard_domain(vector: T) -> T { - T::montgomery_multiply_by_constant(vector, MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS as i16) +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (i0._super_6081346371236564305.f_repr ${vector}_future) /\ + (forall i. i < 16 ==> ((v (Seq.index (i0._super_6081346371236564305.f_repr ${vector}_future) i) % 3329)== + (v (Seq.index (i0._super_6081346371236564305.f_repr ${vector}) i) * 1353 * 169) % 3329))"#))] +fn to_standard_domain(vector: &mut T) { + T::montgomery_multiply_by_constant(vector, MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 300 --split_queries always")] #[hax_lib::requires(fstar!(r#"is_bounded_poly #$:Vector 3328 ${error}"#))] -#[hax_lib::ensures(|result| fstar!(r#"is_bounded_poly 3328 ${myself}_future"#))] +#[hax_lib::ensures(|_| fstar!(r#"is_bounded_poly 3328 ${myself}_future"#))] fn add_standard_error_reduce( myself: &mut PolynomialRingElement, error: &PolynomialRingElement, @@ -476,40 +474,39 @@ fn add_standard_error_reduce( // The coefficients are of the form aR^{-1} mod q, which means // calling to_montgomery_domain() on them should return a mod q. - let coefficient_normal_form = to_standard_domain::(myself.coefficients[j]); + to_standard_domain::(&mut myself.coefficients[j]); hax_lib::fstar!( r#" Spec.Utils.pow2_more_values 15; - assert (is_bounded_vector 3328 ${coefficient_normal_form}); + assert (is_bounded_vector 3328 ${myself}.f_coefficients.[ j ]); assert (is_bounded_vector 3328 (error.f_coefficients.[ j ])); Spec.Utils.lemma_add_intb_forall 3328 3328; assert (forall i. Spec.Utils.is_intb 6656 - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) i) + - v (Seq.index (i0.f_to_i16_array ${error}.f_coefficients.[ j ]) i))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ j ]) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${error}.f_coefficients.[ j ]) i))); assert_norm (6656 <= pow2 15 - 1); Spec.Utils.lemma_intb_le 6656 (pow2 15 - 1); Spec.Utils.lemma_intb_le 6656 28296; assert (forall i. Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) i) + - v (Seq.index (i0.f_to_i16_array ${error}.f_coefficients.[ j ]) i))); + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ j ]) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${error}.f_coefficients.[ j ]) i))); assert (forall i. Spec.Utils.is_intb 28296 - (v (Seq.index (i0.f_to_i16_array ${coefficient_normal_form}) i) + - v (Seq.index (i0.f_to_i16_array ${error}.f_coefficients.[ j ]) i))) + (v (Seq.index (i0._super_6081346371236564305.f_repr ${myself}.f_coefficients.[ j ]) i) + + v (Seq.index (i0._super_6081346371236564305.f_repr ${error}.f_coefficients.[ j ]) i))) "# ); - let sum = Vector::add(coefficient_normal_form, &error.coefficients[j]); - hax_lib::fstar!("assert(is_bounded_vector 6656 sum)"); - let red = Vector::barrett_reduce(sum); - hax_lib::fstar!("assert(is_bounded_vector 3328 red)"); - myself.coefficients[j] = red; + Vector::add(&mut myself.coefficients[j], &error.coefficients[j]); + hax_lib::fstar!("assert(is_bounded_vector 6656 ${myself}.f_coefficients.[ j ])"); + + Vector::barrett_reduce(&mut myself.coefficients[j]); + hax_lib::fstar!("assert(is_bounded_vector 3328 ${myself}.f_coefficients.[ j ])"); hax_lib::fstar!( r#" assert (forall i. (i > v $j /\ i < 16) ==> ${myself}.f_coefficients.[ sz i ] == ${_myself}.[ sz i]); assert (forall i. i < v $j ==> is_bounded_vector 3328 ${myself}.f_coefficients.[ sz i ]); - assert (${myself}.f_coefficients.[ $j ] == ${red}); assert (forall i. i <= v $j ==> is_bounded_vector 3328 ${myself}.f_coefficients.[ sz i ]) "# ); @@ -541,6 +538,7 @@ fn add_standard_error_reduce( /// /// The NIST FIPS 203 standard can be found at /// . +#[inline(always)] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::requires( // hax_lib::forall(|i:usize| @@ -554,28 +552,25 @@ fn add_standard_error_reduce( // hax_lib::implies(i < result.coefficients.len(), || // result.coefficients[i].abs() <= FIELD_MODULUS // ))))] -#[inline(always)] #[hax_lib::fstar::options("--z3rlimit 300 --split_queries always")] #[hax_lib::requires(fstar!(r#"is_bounded_poly 3328 ${myself} /\ is_bounded_poly 3328 ${rhs}"#))] fn ntt_multiply( myself: &PolynomialRingElement, rhs: &PolynomialRingElement, -) -> PolynomialRingElement { - let mut out = ZERO(); - + out: &mut PolynomialRingElement, +) { for i in 0..VECTORS_IN_RING_ELEMENT { - out.coefficients[i] = Vector::ntt_multiply( + Vector::ntt_multiply( &myself.coefficients[i], &rhs.coefficients[i], + &mut out.coefficients[i], zeta(64 + 4 * i), zeta(64 + 4 * i + 1), zeta(64 + 4 * i + 2), zeta(64 + 4 * i + 3), ); } - - out } // FIXME: We pulled out all the items because of https://github.com/hacspec/hax/issues/1183 @@ -585,6 +580,7 @@ impl PolynomialRingElement { #[allow(non_snake_case)] pub(crate) fn ZERO() -> Self { Self { + // XXX: This should be initialized using `core::array::from_fn`, once we no longer have `Vector: Copy`. coefficients: [Vector::ZERO(); 16], } } @@ -599,8 +595,8 @@ impl PolynomialRingElement { #[inline(always)] #[requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())] - pub(crate) fn from_i16_array(a: &[i16]) -> Self { - from_i16_array(a) + pub(crate) fn from_i16_array(a: &[i16], out: &mut Self) { + from_i16_array(a, out) } #[allow(dead_code)] @@ -613,8 +609,8 @@ impl PolynomialRingElement { #[inline(always)] #[allow(dead_code)] #[requires(VECTORS_IN_RING_ELEMENT * 16 * 2 <= bytes.len())] - pub(crate) fn from_bytes(bytes: &[u8]) -> Self { - from_bytes(bytes) + pub(crate) fn from_bytes(bytes: &[u8], out: &mut Self) { + from_bytes(bytes, out) } #[inline(always)] @@ -629,14 +625,14 @@ impl PolynomialRingElement { #[inline(always)] #[requires(fstar!(r#" forall (i:nat). i < v ${VECTORS_IN_RING_ELEMENT} ==> - (let lhs_i = i0.f_to_i16_array (self.f_coefficients.[ sz i ]) in - let rhs_i = i0.f_to_i16_array (${rhs}.f_coefficients.[ sz i ]) in + (let lhs_i = i0._super_6081346371236564305.f_repr (self.f_coefficients.[ sz i ]) in + let rhs_i = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ sz i ]) in Libcrux_ml_kem.Vector.Traits.Spec.add_pre lhs_i rhs_i)"#))] #[ensures(|_| fstar!(r#" forall (i:nat). i < v ${VECTORS_IN_RING_ELEMENT} ==> - (let lhs_i = i0.f_to_i16_array (self.f_coefficients.[ sz i ]) in - let rhs_i = i0.f_to_i16_array (${rhs}.f_coefficients.[ sz i ]) in - let result_i = i0.f_to_i16_array (self_e_future.f_coefficients.[ sz i ]) in + (let lhs_i = i0._super_6081346371236564305.f_repr (self.f_coefficients.[ sz i ]) in + let rhs_i = i0._super_6081346371236564305.f_repr (${rhs}.f_coefficients.[ sz i ]) in + let result_i = i0._super_6081346371236564305.f_repr (self_e_future.f_coefficients.[ sz i ]) in Libcrux_ml_kem.Vector.Traits.Spec.add_post lhs_i rhs_i result_i)"#))] pub(crate) fn add_to_ring_element(&mut self, rhs: &Self) { add_to_ring_element::(self, rhs); @@ -651,17 +647,22 @@ impl PolynomialRingElement { #[inline(always)] #[requires(fstar!(r#"is_bounded_poly (pow2 12 - 1) self"#))] - #[ensures(|result| fstar!(r#"is_bounded_poly 3328 ${result}"#))] - pub(crate) fn subtract_reduce(&self, b: Self) -> Self { + #[ensures(|_| fstar!(r#"is_bounded_poly 3328 ${b}_future"#))] + pub(crate) fn subtract_reduce(&self, b: &mut Self) { subtract_reduce(self, b) } #[inline(always)] #[requires(fstar!(r#"is_bounded_poly 3328 self /\ is_bounded_poly 3328 ${message}"#))] - #[ensures(|output| fstar!(r#"is_bounded_poly 3328 ${output}"#))] - pub(crate) fn add_message_error_reduce(&self, message: &Self, result: Self) -> Self { - add_message_error_reduce(self, message, result) + #[ensures(|_| fstar!(r#"is_bounded_poly 3328 ${result}_future"#))] + pub(crate) fn add_message_error_reduce( + &self, + message: &Self, + result: &mut Self, + scratch: &mut Vector, + ) { + add_message_error_reduce(self, message, result, scratch); } #[inline(always)] @@ -679,8 +680,8 @@ impl PolynomialRingElement { #[inline(always)] #[requires(fstar!(r#"is_bounded_poly 3328 self /\ is_bounded_poly 3328 ${rhs}"#))] - pub(crate) fn ntt_multiply(&self, rhs: &Self) -> Self { - ntt_multiply(self, rhs) + pub(crate) fn ntt_multiply(&self, rhs: &Self, out: &mut Self) { + ntt_multiply(self, rhs, out) } } @@ -701,7 +702,8 @@ mod tests { let mut bytes = [0u8; RingElement::num_bytes()]; re.to_bytes(&mut bytes); - let re_decoded = RingElement::from_bytes(&bytes); + let mut re_decoded = RingElement::ZERO(); + RingElement::from_bytes(&bytes, &mut re_decoded); // Compare let mut i16s = [0; RingElement::num_bytes() / 2]; @@ -720,13 +722,14 @@ mod tests { type RingElement = PolynomialRingElement; let mut re = RingElement::ZERO(); - re.coefficients[0] = SIMD128Vector::from_i16_array(&[0xAB; 32]); - re.coefficients[15] = SIMD128Vector::from_i16_array(&[0xCD; 32]); + SIMD128Vector::from_i16_array(&[0xAB; 32], &mut re.coefficients[0]); + SIMD128Vector::from_i16_array(&[0xCD; 32], &mut re.coefficients[15]); let mut bytes = [0u8; RingElement::num_bytes()]; re.to_bytes(&mut bytes); - let re_decoded = RingElement::from_bytes(&bytes); + let mut re_decoded = RingElement::ZERO(); + RingElement::from_bytes(&bytes, &mut re_decoded); // Compare let mut i16s = [0; RingElement::num_bytes() / 2]; diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs index c12c4da66..eb45cfed3 100644 --- a/libcrux-ml-kem/src/sampling.rs +++ b/libcrux-ml-kem/src/sampling.rs @@ -1,6 +1,5 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, helper::cloop, - polynomial::PolynomialRingElement, vector::Operations, + constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, helper::cloop, vector::Operations, }; /// If `bytes` contains a set of uniformly random bytes, this function @@ -43,19 +42,38 @@ use crate::{ /// . #[inline(always)] fn sample_from_uniform_distribution_next( - randomness: &[[u8; N]; K], - sampled_coefficients: &mut [usize; K], - out: &mut [[i16; 272]; K], + randomness: &[[u8; N]], + sampled_coefficients: &mut [usize], + out: &mut [[i16; 272]], ) -> bool { // Would be great to trigger auto-vectorization or at least loop unrolling here for i in 0..K { for r in 0..N / 24 { if sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { - let sampled = Vector::rej_sample( - &randomness[i][r * 24..(r * 24) + 24], - &mut out[i][sampled_coefficients[i]..sampled_coefficients[i] + 16], - ); - sampled_coefficients[i] += sampled; + #[cfg(eurydice)] + { + // XXX: We need to use these temporaries to work around a Eurydice + // bug. (see https://github.com/AeneasVerif/eurydice/issues/285) + let randomness_i = &randomness[i]; + let out_i = &mut out[i]; + let sampled_coefficients_i = sampled_coefficients[i]; + + let sampled = Vector::rej_sample( + &randomness_i[r * 24..(r * 24) + 24], + &mut out_i[sampled_coefficients_i..sampled_coefficients_i + 16], + ); + sampled_coefficients[i] += sampled; + } + #[cfg(not(eurydice))] + { + // XXX: We need a separate code path for hax to + // avoid `DirectAndMut` issues. + let sampled = Vector::rej_sample( + &randomness[i][r * 24..(r * 24) + 24], + &mut out[i][sampled_coefficients[i]..sampled_coefficients[i] + 16], + ); + sampled_coefficients[i] += sampled; + } } } } @@ -72,19 +90,22 @@ fn sample_from_uniform_distribution_next>( - seeds: &[[u8; 34]; K], -) -> [PolynomialRingElement; K] { - let mut sampled_coefficients: [usize; K] = [0; K]; - let mut out: [[i16; 272]; K] = [[0; 272]; K]; - +#[hax_lib::requires(sampled_coefficients.len() == K && out.len() == K)] +#[hax_lib::ensures(|_| future(sampled_coefficients).len() == K && future(out).len() == K)] +pub(super) fn sample_from_xof( + seeds: &[[u8; 34]], + sampled_coefficients: &mut [usize], + out: &mut [[i16; 272]], +) { let mut xof_state = Hasher::shake128_init_absorb_final(seeds); - let randomness = xof_state.shake128_squeeze_first_three_blocks(); + let mut randomness = [[0u8; THREE_BLOCKS]; K]; + let mut randomness_blocksize = [[0u8; BLOCK_SIZE]; K]; + xof_state.shake128_squeeze_first_three_blocks(&mut randomness); let mut done = sample_from_uniform_distribution_next::( &randomness, - &mut sampled_coefficients, - &mut out, + sampled_coefficients, + out, ); // Requiring more than 5 blocks to sample a ring element should be very @@ -93,15 +114,13 @@ pub(super) fn sample_from_xof( - &randomness, - &mut sampled_coefficients, - &mut out, + &randomness_blocksize, + sampled_coefficients, + out, ); } - - out.map(|s| PolynomialRingElement::::from_i16_array(&s[0..256])) } /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, @@ -162,13 +181,12 @@ pub(super) fn sample_from_xof( randomness: &[u8], -) -> PolynomialRingElement { + sampled_i16s: &mut [i16], +) { hax_lib::fstar!( "assert (v (sz 2 *! sz 64) == 128); assert (Seq.length $randomness == 128)" ); - let mut sampled_i16s = [0i16; 256]; - cloop! { for (chunk_number, byte_chunk) in randomness.chunks_exact(4).enumerate() { let random_bits_as_u32: u32 = (byte_chunk[0] as u32) @@ -200,7 +218,6 @@ fn sample_from_binomial_distribution_2( } } } - PolynomialRingElement::from_i16_array(&sampled_i16s) } #[hax_lib::requires(randomness.len() == 3 * 64)] @@ -213,12 +230,12 @@ fn sample_from_binomial_distribution_2( #[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_3( randomness: &[u8], -) -> PolynomialRingElement { + sampled_i16s: &mut [i16; 256], +) { hax_lib::fstar!( "assert (v (sz 3 *! sz 64) == 192); assert (Seq.length $randomness == 192)" ); - let mut sampled_i16s = [0i16; 256]; cloop! { for (chunk_number, byte_chunk) in randomness.chunks_exact(3).enumerate() { @@ -252,28 +269,27 @@ fn sample_from_binomial_distribution_3( } } } - PolynomialRingElement::from_i16_array(&sampled_i16s) } #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires((ETA == 2 || ETA == 3) && randomness.len() == ETA * 64)] -#[hax_lib::ensures(|result| fstar!(r#"(forall (i:nat). i < 8 ==> Libcrux_ml_kem.Ntt.ntt_layer_7_pre - (${result}.f_coefficients.[ sz i ]) (${result}.f_coefficients.[ sz i +! sz 8 ])) /\ - Libcrux_ml_kem.Polynomial.is_bounded_poly 7 ${result} /\ - Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == - Spec.MLKEM.sample_poly_cbd $ETA $randomness"#))] +#[hax_lib::ensures(|_| fstar!(r#" + Spec.Utils.is_i16b_array 7 ${output}_future /\ + createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe (Seq.index ${output}_future (v i))) == + Spec.MLKEM.sample_poly_cbd $ETA $randomness"#))] pub(super) fn sample_from_binomial_distribution( randomness: &[u8], -) -> PolynomialRingElement { + output: &mut [i16; 256], +) { hax_lib::fstar!( r#"assert ( (v (cast $ETA <: u32) == 2) \/ (v (cast $ETA <: u32) == 3))"# ); match ETA as u32 { - 2 => sample_from_binomial_distribution_2(randomness), - 3 => sample_from_binomial_distribution_3(randomness), + 2 => sample_from_binomial_distribution_2::(randomness, output), + 3 => sample_from_binomial_distribution_3::(randomness, output), _ => unreachable!(), - } + }; } diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs index 61ee58e7b..5130aa30d 100644 --- a/libcrux-ml-kem/src/serialize.rs +++ b/libcrux-ml-kem/src/serialize.rs @@ -2,89 +2,91 @@ use crate::{ constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, helper::cloop, polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT}, - vector::Operations, + vector::{traits::decompress_1, Operations}, }; #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!(r#"Libcrux_ml_kem.Polynomial.is_bounded_vector 3328 $a"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v ${crate::vector::FIELD_MODULUS}"#))] -pub(super) fn to_unsigned_field_modulus(a: Vector) -> Vector { - Vector::to_unsigned_representative(a) +#[hax_lib::ensures(|_| fstar!(r#"forall (i:nat). i < 16 ==> + v (Seq.index (i0._super_6081346371236564305.f_repr ${out}_future) i) >= 0 /\ + v (Seq.index (i0._super_6081346371236564305.f_repr ${out}_future) i) < v ${crate::vector::FIELD_MODULUS}"#))] +pub(super) fn to_unsigned_field_modulus(a: &Vector, out: &mut Vector) { + // XXX: The following copy should be an explicit clone, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copy until a Eurydice issue is resolved. + *out = Vector::to_unsigned_representative(*a); } #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!(r#"Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re"#))] -#[hax_lib::ensures(|result| - fstar!(r#"$result == - Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#) +#[hax_lib::requires(fstar!(r#"Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re /\ + Seq.length $serialized == v ${crate::constants::SHARED_SECRET_SIZE}"#))] +#[hax_lib::ensures(|_| + fstar!(r#"${serialized}_future == + Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re) + /\ Seq.length ${serialized}_future = Seq.length $serialized"#) )] pub(super) fn compress_then_serialize_message( - re: PolynomialRingElement, -) -> [u8; SHARED_SECRET_SIZE] { - let mut serialized = [0u8; SHARED_SECRET_SIZE]; + re: &PolynomialRingElement, + serialized: &mut [u8], + scratch: &mut Vector, +) { for i in 0..16 { hax_lib::loop_invariant!(|i: usize| { - fstar!("v $i < 16 ==> Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re") + fstar!(r#"Seq.length $serialized == v ${crate::constants::SHARED_SECRET_SIZE}"#) }); hax_lib::fstar!(r#"assert (2 * v $i + 2 <= 32)"#); + to_unsigned_field_modulus(&re.coefficients[i], scratch); + Vector::compress_1(scratch); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); - let coefficient_compressed = Vector::compress_1(coefficient); - - let bytes = Vector::serialize_1(coefficient_compressed); - serialized[2 * i..2 * i + 2].copy_from_slice(&bytes); + Vector::serialize_1(scratch, &mut serialized[2 * i..2 * i + 2]); } - - serialized } #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == +#[hax_lib::ensures(|_| + fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future == Spec.MLKEM.decode_then_decompress_message $serialized"#) )] pub(super) fn deserialize_then_decompress_message( serialized: &[u8; SHARED_SECRET_SIZE], -) -> PolynomialRingElement { - let mut re = PolynomialRingElement::::ZERO(); + re: &mut PolynomialRingElement, +) { for i in 0..16 { - let coefficient_compressed = Vector::deserialize_1(&serialized[2 * i..2 * i + 2]); - re.coefficients[i] = Vector::decompress_1(coefficient_compressed); + Vector::deserialize_1(&serialized[2 * i..2 * i + 2], &mut re.coefficients[i]); + decompress_1::(&mut re.coefficients[i]); } - re } #[inline(always)] +#[hax_lib::fstar::before(r#"#set-options "--z3rlimit 200""#)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!(r#"Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re"#))] -#[hax_lib::ensures(|result| - fstar!(r#"$result == - Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#) +#[hax_lib::requires(fstar!(r#"Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re /\ + Seq.length $serialized == v ${crate::constants::BYTES_PER_RING_ELEMENT}"#))] +#[hax_lib::ensures(|_| + fstar!(r#"${serialized}_future == + Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re) + /\ Seq.length ${serialized}_future = Seq.length $serialized"#) )] pub(super) fn serialize_uncompressed_ring_element( re: &PolynomialRingElement, -) -> [u8; BYTES_PER_RING_ELEMENT] { + scratch: &mut Vector, + serialized: &mut [u8], +) { + debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); hax_lib::fstar!(r#"assert_norm (pow2 12 == 4096)"#); - let mut serialized = [0u8; BYTES_PER_RING_ELEMENT]; for i in 0..VECTORS_IN_RING_ELEMENT { hax_lib::loop_invariant!(|i: usize| { - fstar!( - r#"v $i >= 0 /\ v $i <= 16 /\ - v $i < 16 ==> Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re"# - ) + fstar!(r#"Seq.length $serialized == v ${crate::constants::BYTES_PER_RING_ELEMENT}"#) }); hax_lib::fstar!(r#"assert (24 * v $i + 24 <= 384)"#); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); - let bytes = Vector::serialize_12(coefficient); - serialized[24 * i..24 * i + 24].copy_from_slice(&bytes); + to_unsigned_field_modulus(&re.coefficients[i], scratch); + + Vector::serialize_12(scratch, &mut serialized[24 * i..24 * i + 24]); } - serialized } #[inline(always)] @@ -92,23 +94,20 @@ pub(super) fn serialize_uncompressed_ring_element( #[hax_lib::requires( serialized.len() == BYTES_PER_RING_ELEMENT )] -#[hax_lib::ensures(|result| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == +#[hax_lib::ensures(|_| + fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${re}_future == Spec.MLKEM.byte_decode 12 $serialized"#) )] pub(super) fn deserialize_to_uncompressed_ring_element( serialized: &[u8], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { hax_lib::fstar!(r#"assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"#); - let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(24).enumerate() { - re.coefficients[i] = Vector::deserialize_12(bytes); + Vector::deserialize_12(bytes, &mut re.coefficients[i]); } } - - re } /// Only use with public values. @@ -121,17 +120,15 @@ pub(super) fn deserialize_to_uncompressed_ring_element( )] fn deserialize_to_reduced_ring_element( serialized: &[u8], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { hax_lib::fstar!(r#"assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"#); - let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(24).enumerate() { - let coefficient = Vector::deserialize_12(bytes); - re.coefficients[i] = Vector::cond_subtract_3329(coefficient); + Vector::deserialize_12(bytes, &mut re.coefficients[i]); + Vector::cond_subtract_3329(&mut re.coefficients[i]); } } - re } /// This function deserializes ring elements and reduces the result by the field @@ -142,92 +139,83 @@ fn deserialize_to_reduced_ring_element( #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires( fstar!(r#"Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#) -)] -#[hax_lib::ensures(|result| - fstar!(r#"forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 (Seq.index $result i)"#) -)] -pub(super) fn deserialize_ring_elements_reduced_out( - public_key: &[u8], -) -> [PolynomialRingElement; K] { - let mut deserialized_pk = core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); - deserialize_ring_elements_reduced::(public_key, &mut deserialized_pk); - deserialized_pk -} - -/// See [deserialize_ring_elements_reduced_out]. -#[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - fstar!(r#"Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#) + Seq.length $deserialized_pk == v v_K /\ + Seq.length $public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)"#) )] #[hax_lib::ensures(|_| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${deserialized_pk}_future == - Spec.MLKEM.vector_decode_12 #$K $public_key"#) + fstar!(r#"Seq.length ${deserialized_pk}_future == v v_K /\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${deserialized_pk}_future == + Spec.MLKEM.vector_decode_12 #$K $public_key"#) )] pub(super) fn deserialize_ring_elements_reduced( public_key: &[u8], - deserialized_pk: &mut [PolynomialRingElement; K], + deserialized_pk: &mut [PolynomialRingElement], ) { cloop! { for (i, ring_element) in public_key .chunks_exact(BYTES_PER_RING_ELEMENT) .enumerate() { - deserialized_pk[i] = deserialize_to_reduced_ring_element(ring_element); + hax_lib::loop_invariant!(|i: usize| { + fstar!( + r#"Seq.length ${deserialized_pk} == v v_K"# + ) + }); + + deserialize_to_reduced_ring_element(ring_element, &mut deserialized_pk[i]); } }; - () } #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!(r#"v $OUT_LEN == 320 /\ Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re"#))] +#[hax_lib::requires(fstar!(r#"v $OUT_LEN == 320 /\ + Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re /\ + Seq.length $serialized == v $OUT_LEN"#))] fn compress_then_serialize_10( re: &PolynomialRingElement, -) -> [u8; OUT_LEN] { + serialized: &mut [u8], + scratch: &mut Vector, +) { + debug_assert!(serialized.len() == OUT_LEN); hax_lib::fstar!(r#"assert_norm (pow2 10 == 1024)"#); - let mut serialized = [0u8; OUT_LEN]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { - fstar!( - r#"v $i >= 0 /\ v $i <= 16 /\ - v $i < 16 ==> Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re"# - ) - }); + hax_lib::loop_invariant!(|i: usize| { fstar!(r#"Seq.length $serialized == v $OUT_LEN"#) }); hax_lib::fstar!(r#"assert (20 * v $i + 20 <= 320)"#); - let coefficient = Vector::compress::<10>(to_unsigned_field_modulus(re.coefficients[i])); + to_unsigned_field_modulus(&re.coefficients[i], scratch); + Vector::compress::<10>(scratch); - let bytes = Vector::serialize_10(coefficient); - serialized[20 * i..20 * i + 20].copy_from_slice(&bytes); + Vector::serialize_10(scratch, &mut serialized[20 * i..20 * i + 20]); } - serialized } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] fn compress_then_serialize_11( re: &PolynomialRingElement, -) -> [u8; OUT_LEN] { - let mut serialized = [0u8; OUT_LEN]; + serialized: &mut [u8], + scratch: &mut Vector, +) { + debug_assert!(serialized.len() == OUT_LEN); + for i in 0..VECTORS_IN_RING_ELEMENT { - let coefficient = - Vector::compress::<11>(Vector::to_unsigned_representative(re.coefficients[i])); + // XXX: The following copy should be an explicit clone, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copy until a Eurydice issue is resolved. + *scratch = Vector::to_unsigned_representative(re.coefficients[i]); + Vector::compress::<11>(scratch); - let bytes = Vector::serialize_11(coefficient); - serialized[22 * i..22 * i + 22].copy_from_slice(&bytes); + Vector::serialize_11(scratch, &mut serialized[22 * i..22 * i + 22]); } - serialized } #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!(r#"(v $COMPRESSION_FACTOR == 10 \/ v $COMPRESSION_FACTOR == 11) /\ - v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\ Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re"#))] -#[hax_lib::ensures(|result| - fstar!(r#"$result == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR) + v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\ Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re /\ + Seq.length $serialized == v $OUT_LEN"#))] +#[hax_lib::ensures(|_| + fstar!(r#"${serialized}_future == Spec.MLKEM.compress_then_byte_encode (v $COMPRESSION_FACTOR) (Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $re)"#) )] pub(super) fn compress_then_serialize_ring_element_u< @@ -236,15 +224,12 @@ pub(super) fn compress_then_serialize_ring_element_u< Vector: Operations, >( re: &PolynomialRingElement, -) -> [u8; OUT_LEN] { - hax_lib::fstar!( - r#"assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11))"# - ); + serialized: &mut [u8], + scratch: &mut Vector, +) { match COMPRESSION_FACTOR as u32 { - 10 => compress_then_serialize_10(re), - 11 => compress_then_serialize_11(re), + 10 => compress_then_serialize_10::(re, serialized, scratch), + 11 => compress_then_serialize_11::(re, serialized, scratch), _ => unreachable!(), } } @@ -259,22 +244,17 @@ pub(super) fn compress_then_serialize_ring_element_u< fn compress_then_serialize_4( re: PolynomialRingElement, serialized: &mut [u8], + scratch: &mut Vector, ) { hax_lib::fstar!(r#"assert_norm (pow2 4 == 16)"#); for i in 0..VECTORS_IN_RING_ELEMENT { // NOTE: Using `$serialized` in loop_invariant doesn't work here - hax_lib::loop_invariant!(|i: usize| { - fstar!( - r#"v $i >= 0 /\ v $i <= 16 /\ - v $i < 16 ==> (Seq.length serialized == 128 /\ - Libcrux_ml_kem.Polynomial.is_bounded_poly 3328 $re)"# - ) - }); + hax_lib::loop_invariant!(|i: usize| { fstar!(r#"Seq.length serialized == 128 "#) }); hax_lib::fstar!(r#"assert (8 * v $i + 8 <= 128)"#); - let coefficient = Vector::compress::<4>(to_unsigned_field_modulus(re.coefficients[i])); + to_unsigned_field_modulus(&re.coefficients[i], scratch); + Vector::compress::<4>(scratch); - let bytes = Vector::serialize_4(coefficient); - serialized[8 * i..8 * i + 8].copy_from_slice(&bytes); + Vector::serialize_4(scratch, &mut serialized[8 * i..8 * i + 8]); } } @@ -289,13 +269,16 @@ fn compress_then_serialize_4( fn compress_then_serialize_5( re: PolynomialRingElement, serialized: &mut [u8], + scratch: &mut Vector, ) { for i in 0..VECTORS_IN_RING_ELEMENT { - let coefficients = - Vector::compress::<5>(Vector::to_unsigned_representative(re.coefficients[i])); + // XXX: The following copy should be an explicit clone, since we + // would like to drop `Vector: Copy` in the future. Leaving as + // copy until a Eurydice issue is resolved. + *scratch = Vector::to_unsigned_representative(re.coefficients[i]); + Vector::compress::<5>(scratch); - let bytes = Vector::serialize_5(coefficients); - serialized[10 * i..10 * i + 10].copy_from_slice(&bytes); + Vector::serialize_5(scratch, &mut serialized[10 * i..10 * i + 10]); } } @@ -318,6 +301,7 @@ pub(super) fn compress_then_serialize_ring_element_v< >( re: PolynomialRingElement, out: &mut [u8], + scratch: &mut Vector, ) { hax_lib::fstar!( r#"assert ( @@ -325,8 +309,8 @@ pub(super) fn compress_then_serialize_ring_element_v< (v (cast $COMPRESSION_FACTOR <: u32) == 5))"# ); match COMPRESSION_FACTOR as u32 { - 4 => compress_then_serialize_4(re, out), - 5 => compress_then_serialize_5(re, out), + 4 => compress_then_serialize_4::(re, out, scratch), + 5 => compress_then_serialize_5::(re, out, scratch), _ => unreachable!(), } } @@ -337,19 +321,17 @@ pub(super) fn compress_then_serialize_ring_element_v< )] fn deserialize_then_decompress_10( serialized: &[u8], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { hax_lib::fstar!( r#"assert (v ((${crate::constants::COEFFICIENTS_IN_RING_ELEMENT} *! sz 10) /! sz 8) == 320)"# ); - let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(20).enumerate() { - let coefficient = Vector::deserialize_10(bytes); - re.coefficients[i] = Vector::decompress_ciphertext_coefficient::<10>(coefficient); + Vector::deserialize_10(bytes, &mut re.coefficients[i]); + Vector::decompress_ciphertext_coefficient::<10>(&mut re.coefficients[i]); } } - re } #[inline(always)] @@ -359,20 +341,17 @@ fn deserialize_then_decompress_10( )] fn deserialize_then_decompress_11( serialized: &[u8], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { hax_lib::fstar!( r#"assert (v ((${crate::constants::COEFFICIENTS_IN_RING_ELEMENT} *! sz 11) /! sz 8) == 352)"# ); - let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(22).enumerate() { - let coefficient = Vector::deserialize_11(bytes); - re.coefficients[i] = Vector::decompress_ciphertext_coefficient::<11>(coefficient); + Vector::deserialize_11(bytes, &mut re.coefficients[i]); + Vector::decompress_ciphertext_coefficient::<11>(&mut re.coefficients[i]); } } - - re } #[inline(always)] @@ -381,8 +360,8 @@ fn deserialize_then_decompress_11( (COMPRESSION_FACTOR == 10 || COMPRESSION_FACTOR == 11) && serialized.len() == 32 * COMPRESSION_FACTOR )] -#[hax_lib::ensures(|result| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == +#[hax_lib::ensures(|_| + fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${output}_future == Spec.MLKEM.byte_decode_then_decompress (v $COMPRESSION_FACTOR) $serialized"#) )] pub(super) fn deserialize_then_decompress_ring_element_u< @@ -390,17 +369,18 @@ pub(super) fn deserialize_then_decompress_ring_element_u< Vector: Operations, >( serialized: &[u8], -) -> PolynomialRingElement { + output: &mut PolynomialRingElement, +) { hax_lib::fstar!( r#"assert ( (v (cast $COMPRESSION_FACTOR <: u32) == 10) \/ (v (cast $COMPRESSION_FACTOR <: u32) == 11))"# ); match COMPRESSION_FACTOR as u32 { - 10 => deserialize_then_decompress_10(serialized), - 11 => deserialize_then_decompress_11(serialized), + 10 => deserialize_then_decompress_10::(serialized, output), + 11 => deserialize_then_decompress_11::(serialized, output), _ => unreachable!(), - } + }; } #[inline(always)] @@ -409,19 +389,17 @@ pub(super) fn deserialize_then_decompress_ring_element_u< )] fn deserialize_then_decompress_4( serialized: &[u8], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { hax_lib::fstar!( r#"assert (v ((${crate::constants::COEFFICIENTS_IN_RING_ELEMENT} *! sz 4) /! sz 8) == 128)"# ); - let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(8).enumerate() { - let coefficient = Vector::deserialize_4(bytes); - re.coefficients[i] = Vector::decompress_ciphertext_coefficient::<4>(coefficient); + Vector::deserialize_4(bytes, &mut re.coefficients[i]); + Vector::decompress_ciphertext_coefficient::<4>(&mut re.coefficients[i]); } } - re } #[inline(always)] @@ -431,19 +409,17 @@ fn deserialize_then_decompress_4( )] fn deserialize_then_decompress_5( serialized: &[u8], -) -> PolynomialRingElement { + re: &mut PolynomialRingElement, +) { hax_lib::fstar!( r#"assert (v ((${crate::constants::COEFFICIENTS_IN_RING_ELEMENT} *! sz 5) /! sz 8) == 160)"# ); - let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(10).enumerate() { - re.coefficients[i] = Vector::deserialize_5(bytes); - re.coefficients[i] = Vector::decompress_ciphertext_coefficient::<5>(re.coefficients[i]); + Vector::deserialize_5(bytes, &mut re.coefficients[i]); + Vector::decompress_ciphertext_coefficient::<5>(&mut re.coefficients[i]); } } - re } #[inline(always)] @@ -452,8 +428,8 @@ fn deserialize_then_decompress_5( $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\ Seq.length $serialized == 32 * v $COMPRESSION_FACTOR"#) )] -#[hax_lib::ensures(|result| - fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector $result == +#[hax_lib::ensures(|_| + fstar!(r#"Libcrux_ml_kem.Polynomial.to_spec_poly_t #$:Vector ${output}_future == Spec.MLKEM.decode_then_decompress_v #${K} $serialized"#) )] pub(super) fn deserialize_then_decompress_ring_element_v< @@ -462,15 +438,16 @@ pub(super) fn deserialize_then_decompress_ring_element_v< Vector: Operations, >( serialized: &[u8], -) -> PolynomialRingElement { + output: &mut PolynomialRingElement, +) { hax_lib::fstar!( r#"assert ( (v (cast $COMPRESSION_FACTOR <: u32) == 4) \/ (v (cast $COMPRESSION_FACTOR <: u32) == 5))"# ); match COMPRESSION_FACTOR as u32 { - 4 => deserialize_then_decompress_4(serialized), - 5 => deserialize_then_decompress_5(serialized), + 4 => deserialize_then_decompress_4::(serialized, output), + 5 => deserialize_then_decompress_5::(serialized, output), _ => unreachable!(), } } diff --git a/libcrux-ml-kem/src/variant.rs b/libcrux-ml-kem/src/variant.rs index e2311fb1e..1812f05aa 100644 --- a/libcrux-ml-kem/src/variant.rs +++ b/libcrux-ml-kem/src/variant.rs @@ -11,20 +11,23 @@ use crate::{constants::CPA_PKE_KEY_GENERATION_SEED_SIZE, hash_functions::Hash}; /// cf. FIPS 203, Appendix C #[hax_lib::attributes] pub(crate) trait Variant { - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!(r#"$res == $shared_secret"#))] // We only have post-conditions for ML-KEM, not Kyber - fn kdf>( + #[requires(hax_lib::Prop::from(shared_secret.len() == 32) & hax_lib::Prop::from(out.len() == 32))] + #[ensures(|_| fstar!(r#"${out}_future == $shared_secret /\ Seq.length ${out}_future == Seq.length $out"#))] // We only have post-conditions for ML-KEM, not Kyber + fn kdf( shared_secret: &[u8], ciphertext: &[u8; CIPHERTEXT_SIZE], - ) -> [u8; 32]; - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!(r#"$res == $randomness"#))] // We only have post-conditions for ML-KEM, not Kyber - fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32]; - #[requires(seed.len() == 32)] - #[ensures(|res| fstar!(r#"Seq.length $seed == 32 ==> $res == Spec.Utils.v_G - (Seq.append $seed (Seq.create 1 (cast $K <: u8)))"#) + out: &mut [u8], + ); + + #[requires(hax_lib::Prop::from(randomness.len() == 32) & hax_lib::Prop::from(out.len() == 32))] + #[ensures(|_| fstar!(r#"${out}_future == $randomness /\ Seq.length ${out}_future == Seq.length $out"#))] // We only have post-conditions for ML-KEM, not Kyber + fn entropy_preprocess(randomness: &[u8], out: &mut [u8]); + + #[requires(hax_lib::Prop::from(seed.len() == 32) & hax_lib::Prop::from(out.len() == 64))] + #[ensures(|_| fstar!(r#"(Seq.length $seed == 32 ==> ${out}_future == Spec.Utils.v_G + (Seq.append $seed (Seq.create 1 (cast $K <: u8)))) /\ Seq.length ${out}_future == Seq.length $out"#) )] - fn cpa_keygen_seed>(seed: &[u8]) -> [u8; 64]; + fn cpa_keygen_seed(seed: &[u8], out: &mut [u8]); } /// Implements [`Variant`], to perform the Kyber-specific actions @@ -39,25 +42,26 @@ pub(crate) struct Kyber {} #[cfg(feature = "kyber")] impl Variant for Kyber { #[inline(always)] - fn kdf>( + fn kdf( shared_secret: &[u8], ciphertext: &[u8; CIPHERTEXT_SIZE], - ) -> [u8; 32] { + out: &mut [u8], + ) { use crate::{constants::H_DIGEST_SIZE, utils::into_padded_array}; let mut kdf_input: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&shared_secret); - kdf_input[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(ciphertext)); - Hasher::PRF::<32>(&kdf_input) + Hasher::H(ciphertext.as_slice(), &mut kdf_input[H_DIGEST_SIZE..]); + Hasher::PRF::<32>(&kdf_input, out) } #[inline(always)] - fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { - Hasher::H(&randomness) + fn entropy_preprocess(randomness: &[u8], out: &mut [u8]) { + Hasher::H(&randomness, out) } #[inline(always)] - fn cpa_keygen_seed>(key_generation_seed: &[u8]) -> [u8; 64] { - Hasher::G(key_generation_seed) + fn cpa_keygen_seed(key_generation_seed: &[u8], out: &mut [u8]) { + Hasher::G(key_generation_seed, out) } } @@ -72,32 +76,29 @@ pub(crate) struct MlKem {} #[hax_lib::attributes] impl Variant for MlKem { #[inline(always)] - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!(r#"$res == $shared_secret"#))] - fn kdf>( + #[requires(hax_lib::Prop::from(shared_secret.len() == 32) & hax_lib::Prop::from(out.len() == 32))] + #[ensures(|_| fstar!(r#"${out}_future == $shared_secret /\ Seq.length ${out}_future == Seq.length $out"#))] // We only have post-conditions for ML-KEM, not Kyber + fn kdf( shared_secret: &[u8], _: &[u8; CIPHERTEXT_SIZE], - ) -> [u8; 32] { - let mut out = [0u8; 32]; + out: &mut [u8], + ) { out.copy_from_slice(shared_secret); - out } #[inline(always)] - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!(r#"$res == $randomness"#))] - fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { - let mut out = [0u8; 32]; + #[requires(hax_lib::Prop::from(randomness.len() == 32) & hax_lib::Prop::from(out.len() == 32))] + #[ensures(|_| fstar!(r#"${out}_future == $randomness /\ Seq.length ${out}_future == Seq.length $out"#))] // We only have post-conditions for ML-KEM, not + fn entropy_preprocess(randomness: &[u8], out: &mut [u8]) { out.copy_from_slice(randomness); - out } #[inline(always)] - #[requires(key_generation_seed.len() == 32)] - #[ensures(|res| fstar!(r#"Seq.length $key_generation_seed == 32 ==> $res == Spec.Utils.v_G - (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))"#) + #[requires(hax_lib::Prop::from(key_generation_seed.len() == 32) & hax_lib::Prop::from(out.len() == 64))] + #[ensures(|_| fstar!(r#"(Seq.length $key_generation_seed == 32 ==> ${out}_future == Spec.Utils.v_G + (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))) /\ Seq.length ${out}_future == Seq.length $out"#) )] - fn cpa_keygen_seed>(key_generation_seed: &[u8]) -> [u8; 64] { + fn cpa_keygen_seed(key_generation_seed: &[u8], out: &mut [u8]) { let mut seed = [0u8; CPA_PKE_KEY_GENERATION_SEED_SIZE + 1]; seed[0..CPA_PKE_KEY_GENERATION_SEED_SIZE].copy_from_slice(key_generation_seed); seed[CPA_PKE_KEY_GENERATION_SEED_SIZE] = K as u8; @@ -105,6 +106,6 @@ impl Variant for MlKem { "eq_intro $seed (Seq.append $key_generation_seed (Seq.create 1 (cast $K <: u8)))" ); - Hasher::G(&seed) + Hasher::G(&seed, out); } } diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs index 34593da1d..b25272a51 100644 --- a/libcrux-ml-kem/src/vector/avx2.rs +++ b/libcrux-ml-kem/src/vector/avx2.rs @@ -1,4 +1,7 @@ -use super::traits::Operations; +#[cfg(hax)] +use super::traits::spec; +use super::traits::{Operations, Repr}; +use arithmetic::{bitwise_and_with_constant, shift_right}; pub(crate) use libcrux_intrinsics::avx2::*; mod arithmetic; @@ -25,42 +28,37 @@ fn vec_zero() -> SIMD256Vector { #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!(r#"${result} == repr ${v}"#))] -fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { - let mut output = [0i16; 16]; - mm256_storeu_si256_i16(&mut output, v.elements); +#[hax_lib::requires(out.len() == 16)] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == Seq.length $out /\ + ${out}_future == repr ${vector}"#))] +fn vec_to_i16_array(vector: &SIMD256Vector, out: &mut [i16]) { + debug_assert!(out.len() >= 16); - output + mm256_storeu_si256_i16(out, vector.elements); } #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!(r#"repr ${result} == ${array}"#))] -fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector { - SIMD256Vector { - elements: mm256_loadu_si256_i16(array), - } +#[hax_lib::ensures(|_| fstar!(r#"repr ${out}_future == ${array}"#))] +fn vec_from_i16_array(array: &[i16], out: &mut SIMD256Vector) { + out.elements = mm256_loadu_si256_i16(array); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (repr $vector)"#))] -#[hax_lib::ensures(|out| fstar!(r#"repr out == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (repr $vector)"#))] -fn cond_subtract_3329(vector: SIMD256Vector) -> SIMD256Vector { - SIMD256Vector { - elements: arithmetic::cond_subtract_3329(vector.elements), - } +#[hax_lib::ensures(|_| fstar!(r#"repr ${vector}_future == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (repr $vector)"#))] +fn cond_subtract_3329(vector: &mut SIMD256Vector) { + arithmetic::cond_subtract_3329(&mut vector.elements); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\ v (Seq.index (repr $vector) i) < 3329"#))] -#[hax_lib::ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) 1"#))] -fn compress_1(vector: SIMD256Vector) -> SIMD256Vector { - SIMD256Vector { - elements: compress::compress_message_coefficient(vector.elements), - } +#[hax_lib::ensures(|_| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (repr ${vector}_future) i) 1"#))] +fn compress_1(vector: &mut SIMD256Vector) { + compress::compress_message_coefficient(&mut vector.elements); } #[inline(always)] @@ -71,15 +69,13 @@ fn compress_1(vector: SIMD256Vector) -> SIMD256Vector { v $COEFFICIENT_BITS == 11) /\ (forall (i:nat). i < 16 ==> v (Seq.index (repr $vector) i) >= 0 /\ v (Seq.index (repr $vector) i) < 3329)"#))] -#[hax_lib::ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ +#[hax_lib::ensures(|_| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ v $COEFFICIENT_BITS == 5 \/ v $COEFFICIENT_BITS == 10 \/ v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (repr $out) i) (v $COEFFICIENT_BITS))"#))] -fn compress(vector: SIMD256Vector) -> SIMD256Vector { - SIMD256Vector { - elements: compress::compress_ciphertext_coefficient::(vector.elements), - } + (forall (i:nat). i < 16 ==> bounded (Seq.index (repr ${vector}_future) i) (v $COEFFICIENT_BITS))"#))] +fn compress(vector: &mut SIMD256Vector) { + compress::compress_ciphertext_coefficient::(&mut vector.elements); } #[inline(always)] @@ -87,39 +83,27 @@ fn compress(vector: SIMD256Vector) -> SIMD256Vector #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (repr $out)"#))] -fn ntt_layer_1_step( - vector: SIMD256Vector, - zeta0: i16, - zeta1: i16, - zeta2: i16, - zeta3: i16, -) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), - } +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (repr ${vector}_future)"#))] +fn ntt_layer_1_step(vector: &mut SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) { + ntt::ntt_layer_1_step(&mut vector.elements, zeta0, zeta1, zeta2, zeta3); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (repr $out)"#))] -fn ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1), - } +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (repr ${vector}_future)"#))] +fn ntt_layer_2_step(vector: &mut SIMD256Vector, zeta0: i16, zeta1: i16) { + ntt::ntt_layer_2_step(&mut vector.elements, zeta0, zeta1); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207+3*3328) (repr ${vector})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (repr $out)"#))] -fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::ntt_layer_3_step(vector.elements, zeta), - } +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (repr ${vector}_future)"#))] +fn ntt_layer_3_step(vector: &mut SIMD256Vector, zeta: i16) { + ntt::ntt_layer_3_step(&mut vector.elements, zeta); } #[inline(always)] @@ -127,39 +111,33 @@ fn ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector { #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (4*3328) (repr ${vector})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))] +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr ${vector}_future)"#))] fn inv_ntt_layer_1_step( - vector: SIMD256Vector, + vector: &mut SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), - } +) { + ntt::inv_ntt_layer_1_step(&mut vector.elements, zeta0, zeta1, zeta2, zeta3); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))] -fn inv_ntt_layer_2_step(vector: SIMD256Vector, zeta0: i16, zeta1: i16) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1), - } +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr ${vector}_future)"#))] +fn inv_ntt_layer_2_step(vector: &mut SIMD256Vector, zeta0: i16, zeta1: i16) { + ntt::inv_ntt_layer_2_step(&mut vector.elements, zeta0, zeta1); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (repr ${vector})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))] -fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta), - } +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr ${vector}_future)"#))] +fn inv_ntt_layer_3_step(vector: &mut SIMD256Vector, zeta: i16) { + ntt::inv_ntt_layer_3_step(&mut vector.elements, zeta); } #[inline(always)] @@ -168,108 +146,116 @@ fn inv_ntt_layer_3_step(vector: SIMD256Vector, zeta: i16) -> SIMD256Vector { Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array 3328 (repr ${lhs}) /\ Spec.Utils.is_i16b_array 3328 (repr ${rhs})"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr $out)"#))] +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (repr ${out}_future)"#))] fn ntt_multiply( lhs: &SIMD256Vector, rhs: &SIMD256Vector, + out: &mut SIMD256Vector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> SIMD256Vector { - SIMD256Vector { - elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3), - } +) { + ntt::ntt_multiply( + &lhs.elements, + &rhs.elements, + &mut out.elements, + zeta0, + zeta1, + zeta2, + zeta3, + ); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector) ==> Spec.MLKEM.serialize_post 1 (repr $vector) $out"#))] -fn serialize_1(vector: SIMD256Vector) -> [u8; 2] { - serialize::serialize_1(vector.elements) +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (repr $vector) /\ Seq.length $out == 2"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 2 /\ + (Spec.MLKEM.serialize_pre 1 (repr $vector) ==> + Spec.MLKEM.serialize_post 1 (repr $vector) ${out}_future)"#))] +fn serialize_1(vector: &SIMD256Vector, out: &mut [u8]) { + serialize::serialize_1(&vector.elements, out); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(bytes.len() == 2)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (repr $out)"#))] -fn deserialize_1(bytes: &[u8]) -> SIMD256Vector { - SIMD256Vector { - elements: serialize::deserialize_1(bytes), - } +#[hax_lib::ensures(|_| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (repr ${out}_future)"#))] +fn deserialize_1(bytes: &[u8], out: &mut SIMD256Vector) { + serialize::deserialize_1(bytes, &mut out.elements); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector) ==> Spec.MLKEM.serialize_post 4 (repr $vector) $out"#))] -fn serialize_4(vector: SIMD256Vector) -> [u8; 8] { - serialize::serialize_4(vector.elements) +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (repr $vector) /\ Seq.length $out == 8"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 8 /\ + (Spec.MLKEM.serialize_pre 4 (repr $vector) ==> + Spec.MLKEM.serialize_post 4 (repr $vector) ${out}_future)"#))] +fn serialize_4(vector: &SIMD256Vector, out: &mut [u8]) { + serialize::serialize_4(&vector.elements, out) } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(bytes.len() == 8)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (repr $out)"#))] -fn deserialize_4(bytes: &[u8]) -> SIMD256Vector { - SIMD256Vector { - elements: serialize::deserialize_4(bytes), - } +#[hax_lib::ensures(|_| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (repr ${out}_future)"#))] +fn deserialize_4(bytes: &[u8], out: &mut SIMD256Vector) { + serialize::deserialize_4(bytes, &mut out.elements); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector) ==> Spec.MLKEM.serialize_post 10 (repr $vector) $out"#))] -fn serialize_10(vector: SIMD256Vector) -> [u8; 20] { - serialize::serialize_10(vector.elements) +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (repr $vector) /\ Seq.length $out == 20"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 20 /\ + (Spec.MLKEM.serialize_pre 10 (repr $vector) ==> + Spec.MLKEM.serialize_post 10 (repr $vector) ${out}_future)"#))] +fn serialize_10(vector: &SIMD256Vector, out: &mut [u8]) { + serialize::serialize_10(&vector.elements, out); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(bytes.len() == 20)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (repr $out)"#))] -fn deserialize_10(bytes: &[u8]) -> SIMD256Vector { - SIMD256Vector { - elements: serialize::deserialize_10(bytes), - } +#[hax_lib::ensures(|_| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> + Spec.MLKEM.deserialize_post 10 $bytes (repr ${out}_future)"#))] +fn deserialize_10(bytes: &[u8], out: &mut SIMD256Vector) { + serialize::deserialize_10(bytes, &mut out.elements); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector) ==> Spec.MLKEM.serialize_post 12 (repr $vector) $out"#))] -fn serialize_12(vector: SIMD256Vector) -> [u8; 24] { - serialize::serialize_12(vector.elements) +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (repr $vector) /\ Seq.length $out == 24"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 24 /\ + (Spec.MLKEM.serialize_pre 12 (repr $vector) ==> + Spec.MLKEM.serialize_post 12 (repr $vector) ${out}_future)"#))] +fn serialize_12(vector: &SIMD256Vector, out: &mut [u8]) { + serialize::serialize_12(&vector.elements, out); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(bytes.len() == 24)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (repr $out)"#))] -fn deserialize_12(bytes: &[u8]) -> SIMD256Vector { - SIMD256Vector { - elements: serialize::deserialize_12(bytes), - } +#[hax_lib::ensures(|_| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (repr ${out}_future)"#))] +fn deserialize_12(bytes: &[u8], out: &mut SIMD256Vector) { + serialize::deserialize_12(bytes, &mut out.elements); } #[cfg(hax)] -impl crate::vector::traits::Repr for SIMD256Vector { +impl Repr for SIMD256Vector { fn repr(&self) -> [i16; 16] { - vec_to_i16_array(self.clone()) + let mut out = [0i16; 16]; + vec_to_i16_array(&self, &mut out); + out } } #[cfg(any(eurydice, not(hax)))] -impl crate::vector::traits::Repr for SIMD256Vector {} +impl Repr for SIMD256Vector {} #[inline(always)] #[hax_lib::requires(array.len() >= 32)] -pub(super) fn from_bytes(array: &[u8]) -> SIMD256Vector { - SIMD256Vector { - elements: mm256_loadu_si256_u8(&array[0..32]), - } +pub(super) fn from_bytes(array: &[u8], out: &mut Vec256) { + *out = mm256_loadu_si256_u8(&array[0..32]); } #[inline(always)] @@ -283,317 +269,289 @@ pub(super) fn to_bytes(x: SIMD256Vector, bytes: &mut [u8]) { #[hax_lib::attributes] impl Operations for SIMD256Vector { #[inline(always)] - #[ensures(|out| fstar!(r#"impl.f_repr out == Seq.create 16 (mk_i16 0)"#))] + #[requires(true)] + #[ensures(|result| result.repr() == [0i16; 16])] fn ZERO() -> Self { vec_zero() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))] #[inline(always)] - fn from_i16_array(array: &[i16]) -> Self { - vec_from_i16_array(array) + #[requires(array.len() == 16)] + #[ensures(|_| future(out).repr() == array)] + fn from_i16_array(array: &[i16], out: &mut Self) { + vec_from_i16_array(array, out); } - #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))] #[inline(always)] - fn to_i16_array(x: Self) -> [i16; 16] { - vec_to_i16_array(x) + #[requires(out.len() == 16)] + #[ensures(|_| future(out) == x.repr())] + fn to_i16_array(x: &Self, out: &mut [i16]) { + vec_to_i16_array(x, out); } - #[requires(array.len() >= 32)] #[inline(always)] - fn from_bytes(array: &[u8]) -> Self { - from_bytes(array) + #[requires(array.len() >= 32)] + fn from_bytes(array: &[u8], out: &mut Self) { + from_bytes(array, &mut out.elements); } - #[requires(bytes.len() >= 32)] #[inline(always)] + #[requires(bytes.len() >= 32)] #[ensures(|_| future(bytes).len() == bytes.len())] fn to_bytes(x: Self, bytes: &mut [u8]) { to_bytes(x, bytes) } - #[requires(fstar!(r#"forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index (impl.f_repr ${result}) i) == - v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"#))] #[inline(always)] - fn add(lhs: Self, rhs: &Self) -> Self { - Self { - elements: arithmetic::add(lhs.elements, rhs.elements), - } + #[requires(spec::add_pre(&lhs.repr(), &rhs.repr()))] + #[ensures(|_| spec::add_post(&lhs.repr(), &rhs.repr(), &future(lhs).repr()))] + fn add(lhs: &mut Self, rhs: &Self) { + hax_lib::fstar!( + r#"reveal_opaque (`%Libcrux_ml_kem.Vector.Traits.Spec.add_post) (Libcrux_ml_kem.Vector.Traits.Spec.add_post)"# + ); + arithmetic::add(&mut lhs.elements, &rhs.elements); } - #[requires(fstar!(r#"forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index (impl.f_repr ${result}) i) == - v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"#))] #[inline(always)] - fn sub(lhs: Self, rhs: &Self) -> Self { - Self { - elements: arithmetic::sub(lhs.elements, rhs.elements), - } + #[requires(spec::sub_pre(&lhs.repr(), &rhs.repr()))] + #[ensures(|_| spec::sub_post(&lhs.repr(), &rhs.repr(), &future(lhs).repr()))] + fn sub(lhs: &mut Self, rhs: &Self) { + arithmetic::sub(&mut lhs.elements, &rhs.elements); } - #[requires(fstar!(r#"forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${vec}) i) * v c)"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index (impl.f_repr ${result}) i) == - v (Seq.index (impl.f_repr ${vec}) i) * v c)"#))] #[inline(always)] - fn multiply_by_constant(vec: Self, c: i16) -> Self { - Self { - elements: arithmetic::multiply_by_constant(vec.elements, c), - } + #[requires(spec::negate_pre(&vec.repr()))] + #[ensures(|_| spec::negate_post(&vec.repr(), &future(vec).repr()))] + fn negate(vec: &mut Self) { + arithmetic::negate(&mut vec.elements); } - #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vector)"#))] - #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (impl.f_repr $vector)"#))] #[inline(always)] - fn cond_subtract_3329(vector: Self) -> Self { - cond_subtract_3329(vector) + #[requires(spec::multiply_by_constant_pre(&vec.repr(), c))] + #[ensures(|_| spec::multiply_by_constant_post(&vec.repr(), c, &future(vec).repr()))] + fn multiply_by_constant(vec: &mut Self, c: i16) { + arithmetic::multiply_by_constant(&mut vec.elements, c); } - #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"#))] - #[ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${result}) /\ - (forall i. (v (Seq.index (impl.f_repr ${result}) i) % 3329) == - (v (Seq.index (impl.f_repr ${vector})i) % 3329))"#))] #[inline(always)] - fn barrett_reduce(vector: Self) -> Self { - Self { - elements: arithmetic::barrett_reduce(vector.elements), - } + #[requires(true)] + #[ensures(|_| spec::bitwise_and_with_constant_constant_post(&vec.repr(), c, &future(vec).repr()))] + fn bitwise_and_with_constant(vec: &mut Self, c: i16) { + vec.elements = bitwise_and_with_constant(vec.elements, c); } #[inline(always)] - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $constant"#))] - #[ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${result}) /\ - (forall i. i < 16 ==> ((v (Seq.index (impl.f_repr ${result}) i) % 3329)== - (v (Seq.index (impl.f_repr ${vector}) i) * v ${constant} * 169) % 3329))"#))] - fn montgomery_multiply_by_constant(vector: Self, constant: i16) -> Self { - Self { - elements: arithmetic::montgomery_multiply_by_constant(vector.elements, constant), - } + #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] + #[ensures(|_| spec::shift_right_post(&vec.repr(), SHIFT_BY, &future(vec).repr()))] + fn shift_right(vec: &mut Self) { + vec.elements = shift_right::(vec.elements); } - #[requires(fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $a)"#))] - #[ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> - (let x = Seq.index (impl.f_repr ${a}) i in - let y = Seq.index (impl.f_repr ${result}) i in - (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))"#))] - fn to_unsigned_representative(a: Self) -> Self { - Self { - elements: arithmetic::to_unsigned_representative(a.elements), - } + #[inline(always)] + #[requires(spec::cond_subtract_3329_pre(&vec.repr()))] + #[ensures(|_| spec::cond_subtract_3329_post(&vec.repr(), &future(vec).repr()))] + fn cond_subtract_3329(vec: &mut Self) { + cond_subtract_3329(vec) } - #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\ - v (Seq.index (impl.f_repr $vector) i) < 3329"#))] - #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))] #[inline(always)] - fn compress_1(vector: Self) -> Self { - compress_1(vector) + #[requires(spec::barrett_reduce_pre(&vec.repr()))] + #[ensures(|_| spec::barrett_reduce_post(&vec.repr(), &future(vec).repr()))] + fn barrett_reduce(vec: &mut Self) { + arithmetic::barrett_reduce(&mut vec.elements); } - #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ - v $COEFFICIENT_BITS == 5 \/ - v $COEFFICIENT_BITS == 10 \/ - v $COEFFICIENT_BITS == 11) /\ - (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\ - v (Seq.index (impl.f_repr $vector) i) < 3329)"#))] - #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ - v $COEFFICIENT_BITS == 5 \/ - v $COEFFICIENT_BITS == 10 \/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"#))] #[inline(always)] - fn compress(vector: Self) -> Self { - compress::(vector) + #[requires(spec::montgomery_multiply_by_constant_pre(&vec.repr(), c))] + #[ensures(|_| spec::montgomery_multiply_by_constant_post(&vec.repr(), c, &future(vec).repr()))] + fn montgomery_multiply_by_constant(vec: &mut Self, c: i16) { + arithmetic::montgomery_multiply_by_constant(&mut vec.elements, c); } - #[requires(fstar!(r#"forall (i:nat). i < 16 ==> - (let x = Seq.index (impl.f_repr $a) i in - (x == mk_i16 0 \/ x == mk_i16 1))"#))] - fn decompress_1(a: Self) -> Self { + #[inline(always)] + #[requires(spec::to_unsigned_representative_pre(&vec.repr()))] + #[ensures(|result| spec::to_unsigned_representative_post(&vec.repr(), &result.repr()))] + fn to_unsigned_representative(vec: Self) -> Self { Self { - elements: compress::decompress_1(a.elements), + elements: arithmetic::to_unsigned_representative(vec.elements), } } - #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ - v $COEFFICIENT_BITS == 5 \/ - v $COEFFICIENT_BITS == 10 \/ - v $COEFFICIENT_BITS == 11) /\ - (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\ - v (Seq.index (impl.f_repr $vector) i) < pow2 (v $COEFFICIENT_BITS))"#))] #[inline(always)] - fn decompress_ciphertext_coefficient(vector: Self) -> Self { + #[requires(spec::compress_1_pre(&vec.repr()))] + #[ensures(|_| spec::compress_1_post(&vec.repr(), &future(vec).repr()))] + fn compress_1(vec: &mut Self) { + compress_1(vec); + } + + #[inline(always)] + #[requires(spec::compress_pre(&vec.repr(), COEFFICIENT_BITS))] + #[ensures(|_| spec::compress_post(&vec.repr(), COEFFICIENT_BITS, &future(vec).repr()))] + fn compress(vec: &mut Self) { + compress::(vec); + } + + #[inline(always)] + #[hax_lib::requires(spec::decompress_1_pre(&vec.repr()))] + fn decompress_1(vec: Self) -> Self { Self { - elements: compress::decompress_ciphertext_coefficient::( - vector.elements, - ), + elements: compress::decompress_1(vec.elements), } } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))] #[inline(always)] - fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3) + #[requires(spec::decompress_ciphertext_coefficient_pre(&vec.repr(), COEFFICIENT_BITS))] + fn decompress_ciphertext_coefficient(vec: &mut Self) { + compress::decompress_ciphertext_coefficient::(&mut vec.elements); + } + + #[inline(always)] + #[requires(spec::ntt_layer_1_step_pre(&vec.repr(), zeta0, zeta1, zeta2, zeta3))] + #[ensures(|_| spec::ntt_layer_1_step_post(&vec.repr(), zeta0, zeta1, zeta2, zeta3, &future(vec).repr()))] + fn ntt_layer_1_step(vec: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) { + ntt_layer_1_step(vec, zeta0, zeta1, zeta2, zeta3); } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))] #[inline(always)] - fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - ntt_layer_2_step(vector, zeta0, zeta1) + #[requires(spec::ntt_layer_2_step_pre(&vec.repr(), zeta0, zeta1))] + #[ensures(|_| spec::ntt_layer_2_step_post(&vec.repr(), zeta0, zeta1, &future(vec).repr()))] + fn ntt_layer_2_step(vec: &mut Self, zeta0: i16, zeta1: i16) { + ntt_layer_2_step(vec, zeta0, zeta1); } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))] #[inline(always)] - fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - ntt_layer_3_step(vector, zeta) + #[requires(spec::ntt_layer_3_step_pre(&vec.repr(), zeta0))] + #[ensures(|_| spec::ntt_layer_3_step_post(&vec.repr(), zeta0, &future(vec).repr()))] + fn ntt_layer_3_step(vec: &mut Self, zeta0: i16) { + ntt_layer_3_step(vec, zeta0); } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] #[inline(always)] - fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - inv_ntt_layer_1_step(vector, zeta0, zeta1, zeta2, zeta3) + #[requires(spec::inv_ntt_layer_1_step_pre(&vec.repr(), zeta0, zeta1, zeta2, zeta3))] + #[ensures(|_| spec::inv_ntt_layer_1_step_post(&vec.repr(), zeta0, zeta1, zeta2, zeta3, &future(vec).repr()))] + fn inv_ntt_layer_1_step(vec: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) { + inv_ntt_layer_1_step(vec, zeta0, zeta1, zeta2, zeta3); } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] #[inline(always)] - fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - inv_ntt_layer_2_step(vector, zeta0, zeta1) + #[requires(spec::inv_ntt_layer_2_step_pre(&vec.repr(), zeta0, zeta1))] + #[ensures(|_| spec::inv_ntt_layer_2_step_post(&vec.repr(), zeta0, zeta1, &future(vec).repr()))] + fn inv_ntt_layer_2_step(vec: &mut Self, zeta0: i16, zeta1: i16) { + inv_ntt_layer_2_step(vec, zeta0, zeta1); } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] #[inline(always)] - fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - inv_ntt_layer_3_step(vector, zeta) + #[requires(spec::inv_ntt_layer_3_step_pre(&vec.repr(), zeta0))] + #[ensures(|_| spec::inv_ntt_layer_3_step_post(&vec.repr(), zeta0, &future(vec).repr()))] + fn inv_ntt_layer_3_step(vec: &mut Self, zeta0: i16) { + inv_ntt_layer_3_step(vec, zeta0); } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] #[inline(always)] + #[requires(spec::ntt_multiply_pre(&lhs.repr(), &rhs.repr(), &out.repr(),zeta0, zeta1, zeta2, zeta3))] + #[ensures(|_| spec::ntt_multiply_post(&lhs.repr(), &rhs.repr(), &out.repr(),zeta0, zeta1, zeta2, zeta3, &future(out).repr()))] fn ntt_multiply( lhs: &Self, rhs: &Self, + out: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, - ) -> Self { - ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3) + ) { + ntt_multiply(lhs, rhs, out, zeta0, zeta1, zeta2, zeta3); } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"#))] #[inline(always)] - fn serialize_1(vector: Self) -> [u8; 2] { - serialize_1(vector) + #[requires(spec::serialize_1_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_1_post(&vec.repr(), &out, &future(out)))] + fn serialize_1(vec: &Self, out: &mut [u8]) { + debug_assert!(out.len() == 2); + serialize_1(vec, out); } - #[requires(bytes.len() == 2)] - #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"#))] #[inline(always)] - fn deserialize_1(bytes: &[u8]) -> Self { - deserialize_1(bytes) + #[requires(spec::deserialize_1_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_1_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_1(input: &[u8], out: &mut Self) { + deserialize_1(input, out); } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"#))] #[inline(always)] - fn serialize_4(vector: Self) -> [u8; 8] { - serialize_4(vector) + #[requires(spec::serialize_4_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_4_post(&vec.repr(), &out, &future(out)))] + fn serialize_4(vec: &Self, out: &mut [u8]) { + debug_assert!(out.len() == 8); + serialize_4(vec, out); } - #[requires(bytes.len() == 8)] - #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"#))] #[inline(always)] - fn deserialize_4(bytes: &[u8]) -> Self { - deserialize_4(bytes) + #[requires(spec::deserialize_4_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_4_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_4(input: &[u8], out: &mut Self) { + deserialize_4(input, out); } #[inline(always)] - fn serialize_5(vector: Self) -> [u8; 10] { - serialize::serialize_5(vector.elements) + #[requires(out.len() == 10)] + fn serialize_5(vec: &Self, out: &mut [u8]) { + debug_assert!(out.len() == 10); + serialize::serialize_5(&vec.elements, out); } - #[requires(bytes.len() == 10)] #[inline(always)] - fn deserialize_5(bytes: &[u8]) -> Self { - hax_lib::fstar!(r#"assert (v (Core.Slice.impl__len $bytes) == Seq.length $bytes)"#); - Self { - elements: serialize::deserialize_5(bytes), - } + #[requires(input.len() == 10)] + fn deserialize_5(input: &[u8], out: &mut Self) { + serialize::deserialize_5(input, &mut out.elements); } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"#))] #[inline(always)] - fn serialize_10(vector: Self) -> [u8; 20] { - serialize_10(vector) + #[requires(spec::serialize_10_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_10_post(&vec.repr(), &out, &future(out)))] + fn serialize_10(vec: &Self, out: &mut [u8]) { + debug_assert!(out.len() == 20); + serialize_10(vec, out); } - #[requires(bytes.len() == 20)] - #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"#))] #[inline(always)] - fn deserialize_10(bytes: &[u8]) -> Self { - deserialize_10(bytes) + #[requires(spec::deserialize_10_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_10_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_10(input: &[u8], out: &mut Self) { + deserialize_10(input, out); } #[inline(always)] - fn serialize_11(vector: Self) -> [u8; 22] { - serialize::serialize_11(vector.elements) + #[requires(out.len() == 22)] + fn serialize_11(vec: &Self, out: &mut [u8]) { + debug_assert!(out.len() == 22); + serialize::serialize_11(&vec.elements, out); } - #[requires(bytes.len() == 22)] #[inline(always)] - fn deserialize_11(bytes: &[u8]) -> Self { - Self { - elements: serialize::deserialize_11(bytes), - } + #[requires(input.len() == 22)] + fn deserialize_11(input: &[u8], out: &mut Self) { + serialize::deserialize_11(input, &mut out.elements); } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"#))] #[inline(always)] - fn serialize_12(vector: Self) -> [u8; 24] { - serialize_12(vector) + #[requires(spec::serialize_12_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_12_post(&vec.repr(), &out, &future(out)))] + fn serialize_12(vec: &Self, out: &mut [u8]) { + debug_assert!(out.len() == 24); + serialize_12(vec, out); } - #[requires(bytes.len() == 24)] - #[ensures(|out| fstar!(r#"sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"#))] #[inline(always)] - fn deserialize_12(bytes: &[u8]) -> Self { - deserialize_12(bytes) + #[requires(spec::deserialize_12_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_12_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_12(input: &[u8], out: &mut Self) { + deserialize_12(input, out); } - #[requires(input.len() == 24 && output.len() == 16)] - #[ensures(|result| - fstar!(r#"Seq.length $output_future == Seq.length $output /\ v $result <= 16"#) - )] #[inline(always)] - fn rej_sample(input: &[u8], output: &mut [i16]) -> usize { - sampling::rejection_sample(input, output) + #[requires(input.len() == 24 && out.len() == 16)] + #[ensures(|result| result <= 16 && future(out).len() == 16)] + fn rej_sample(input: &[u8], out: &mut [i16]) -> usize { + sampling::rejection_sample(input, out) } } diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs index 8ec9a0dcd..373020952 100644 --- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs @@ -6,67 +6,87 @@ use super::*; #[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")] #[hax_lib::fstar::before( r#" -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma +let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == (v (get_lane lhs i) + v (get_lane rhs i)))) [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()"# )] -#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"#))] -pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_add_epi16(lhs, rhs); +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + v (get_lane ${lhs}_future i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"#))] +pub(crate) fn add(lhs: &mut Vec256, rhs: &Vec256) { + #[cfg(hax)] + let lhs_orig = lhs.clone(); + + *lhs = mm256_add_epi16(*lhs, *rhs); hax_lib::fstar!( - r#"assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))"# + r#"assert (forall i. get_lane $lhs i == get_lane $lhs_orig i +. get_lane $rhs i); + assert (forall i. v (get_lane $lhs i) == v (get_lane $lhs_orig i) + v (get_lane $rhs i))"# ); - - result } #[inline(always)] #[hax_lib::fstar::before( r#" -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma +let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == (v (get_lane lhs i) - v (get_lane rhs i)))) [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()"# )] -#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"#))] -pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_sub_epi16(lhs, rhs); +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + v (get_lane ${lhs}_future i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"#))] +pub(crate) fn sub(lhs: &mut Vec256, rhs: &Vec256) { + #[cfg(hax)] + let lhs_orig = lhs.clone(); + + *lhs = mm256_sub_epi16(*lhs, *rhs); hax_lib::fstar!( - r#"assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))"# + r#"assert (forall i. get_lane $lhs i == get_lane $lhs_orig i -. get_lane $rhs i); + assert (forall i. v (get_lane $lhs i) == v (get_lane $lhs_orig i) - v (get_lane $rhs i))"# ); +} - result +#[inline(always)] +#[hax_lib::fstar::verification_status(lax)] +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vec i))"#))] +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + v (get_lane ${vec}_future i) == - (v (get_lane $vec i))"#))] +pub(crate) fn negate(vec: &mut Vec256) { + #[cfg(hax)] + let vec_orig = vec.clone(); + + *vec = mm256_sign_epi16(*vec, mm256_set1_epi16(-1)); + + hax_lib::fstar!( + r#"assert (forall i. get_lane $vec i == neg (get_lane $vec_orig i)); + assert (forall i. v (get_lane $vec i) == - v (get_lane $vec_orig i))"# + ); } #[inline(always)] #[hax_lib::fstar::before( r#" -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma +let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) (ensures (v (mul_mod (get_lane lhs i) c) == (v (get_lane lhs i) * v c))) [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()"# )] -#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $vector i) * v constant)"#))] -pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + v (get_lane ${vector}_future i) == (v (get_lane $vector i) * v constant)"#))] +pub(crate) fn multiply_by_constant(vector: &mut Vec256, constant: i16) { let cv = mm256_set1_epi16(constant); - let result = mm256_mullo_epi16(vector, cv); + let result = mm256_mullo_epi16(*vector, cv); hax_lib::fstar!( r#"Seq.lemma_eq_intro (vec256_as_i16x16 ${result}) @@ -79,11 +99,11 @@ pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"# ); - result + *vector = result; } #[inline(always)] -#[hax_lib::ensures(|result| fstar!(r#"Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == +#[hax_lib::ensures(|result| fstar!(r#"Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))] pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 { let cv = mm256_set1_epi16(constant); @@ -99,15 +119,15 @@ pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 #[inline(always)] #[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. (mk_i32 0) /\ v_SHIFT_BY <. (mk_i32 16)) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == +#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. (mk_i32 0) /\ v_SHIFT_BY <. (mk_i32 16)) ==> + Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))] pub(crate) fn shift_right(vector: Vec256) -> Vec256 { let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector); hax_lib::fstar!( "Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) + (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))" ); @@ -117,17 +137,17 @@ pub(crate) fn shift_right(vector: Vec256) -> Vec256 { #[inline(always)] #[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - get_lane $result i == +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + get_lane ${vector}_future i == (if (get_lane $vector i) >=. (mk_i16 3329) then get_lane $vector i -! (mk_i16 3329) else get_lane $vector i)"#))] -pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { +pub(crate) fn cond_subtract_3329(vector: &mut Vec256) { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); hax_lib::fstar!(r#"assert (forall i. get_lane $field_modulus i == (mk_i16 3329))"#); // Compute v_i - Q and crate a mask from the sign bit of each of these // quantities. - let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus); + let v_minus_field_modulus = mm256_sub_epi16(*vector, field_modulus); hax_lib::fstar!( "assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. (mk_i16 3329))" @@ -154,7 +174,7 @@ pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. (mk_i16 3329) then get_lane $vector i -! (mk_i16 3329) else get_lane $vector i))"# ); - result + *vector = result; } const BARRETT_MULTIPLIER: i16 = 20159; @@ -164,11 +184,11 @@ const BARRETT_MULTIPLIER: i16 = 20159; #[inline(always)] #[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] #[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})"#)))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == +#[cfg_attr(hax, hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector}_future) /\ + (forall i. i < 16 ==> v (get_lane ${vector}_future i) % 3329 == (v (get_lane $vector i) % 3329))"#)))] -pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { - let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); +pub(crate) fn barrett_reduce(vector: &mut Vec256) { + let t0 = mm256_mulhi_epi16(*vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); hax_lib::fstar!( r#"assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! (mk_i32 16)) <: i16))"# @@ -194,7 +214,7 @@ pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { "assert (forall i. get_lane $quotient_times_field_modulus i == get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)" ); - let result = mm256_sub_epi16(vector, quotient_times_field_modulus); + let result = mm256_sub_epi16(*vector, quotient_times_field_modulus); hax_lib::fstar!( r#"assert (forall i. get_lane $result i == @@ -206,20 +226,20 @@ pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))"# ); - result + *vector = result; } #[inline(always)] #[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100 --ext context_pruning"))] #[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 constant"#)))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == +#[cfg_attr(hax, hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector}_future) /\ + (forall i. i < 16 ==> v (get_lane ${vector}_future i) % 3329 == ((v (get_lane $vector i) * v constant * 169) % 3329))"#)))] -pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { +pub(crate) fn montgomery_multiply_by_constant(vector: &mut Vec256, constant: i16) { let vec_constant = mm256_set1_epi16(constant); hax_lib::fstar!(r#"assert (forall i. get_lane $vec_constant i == $constant)"#); - let value_low = mm256_mullo_epi16(vector, vec_constant); + let value_low = mm256_mullo_epi16(*vector, vec_constant); hax_lib::fstar!( r#"assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)"# @@ -240,18 +260,18 @@ pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> let k_times_modulus = mm256_mulhi_epi16(k, modulus); hax_lib::fstar!( - r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == + r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! (mk_i32 16)) <: i16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == + assert (forall i. get_lane $k_times_modulus i == (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! (mk_i32 16)) <: i16))"# ); - let value_high = mm256_mulhi_epi16(vector, vec_constant); + let value_high = mm256_mulhi_epi16(*vector, vec_constant); hax_lib::fstar!( - r#"assert (forall i. get_lane $value_high i == + r#"assert (forall i. get_lane $value_high i == (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! (mk_i32 16)) <: i16))"# ); @@ -269,14 +289,15 @@ pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))"# ); - result + + *vector = result; } #[inline(always)] #[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] #[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))"#)))] #[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == + (forall i. i < 16 ==> v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"#)))] pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 { let value_low = mm256_mullo_epi16(vec, constants); @@ -300,17 +321,17 @@ pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) - let k_times_modulus = mm256_mulhi_epi16(k, modulus); hax_lib::fstar!( - r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == + r#"assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! (mk_i32 16)) <: i16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == + assert (forall i. get_lane $k_times_modulus i == (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! (mk_i32 16)) <: i16))"# ); let value_high = mm256_mulhi_epi16(vec, constants); hax_lib::fstar!( - r#"assert (forall i. get_lane $value_high i == + r#"assert (forall i. get_lane $value_high i == (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! (mk_i32 16)) <: i16))"# ); @@ -338,7 +359,7 @@ pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) - #[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\ (Spec.Utils.is_i16b_array (3328 * pow2 15) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec) ==> Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == + (forall i. i < 16 ==> v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * 169) % 3329))"#)))] pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { let k = mm256_mullo_epi16( @@ -360,7 +381,7 @@ pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { #[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] #[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))"#)))] #[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\ - (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == + (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"#)))] pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 { let value_low = mm_mullo_epi16(vec, constants); @@ -385,18 +406,18 @@ pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec let k_times_modulus = mm_mulhi_epi16(k, modulus); hax_lib::fstar!( - r#"assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == + r#"assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! (mk_i32 16)) <: i16) (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k) (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $modulus)); - assert (forall i. get_lane128 $k_times_modulus i == + assert (forall i. get_lane128 $k_times_modulus i == (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! (mk_i32 16)) <: i16))"# ); let value_high = mm_mulhi_epi16(vec, constants); hax_lib::fstar!( - r#"assert (forall i. get_lane128 $value_high i == + r#"assert (forall i. get_lane128 $value_high i == (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! (mk_i32 16)) <: i16))"# ); @@ -421,15 +442,15 @@ pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $a)"#))] #[hax_lib::ensures(|result| fstar!(r#"forall i. (let x = Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $a) i in - let y = Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result) i in + let y = Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) i in (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))"#))] #[inline(always)] -pub(crate) fn to_unsigned_representative(a: Vec256) -> Vec256 { +pub(crate) fn to_unsigned_representative(mut a: Vec256) -> Vec256 { let t = shift_right::<15>(a); hax_lib::fstar!( r#" - assert (forall i. Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $t) i == + assert (forall i. Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $t) i == ((Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $a) i) >>! (mk_i32 15))); assert (forall i. Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $a) i >=. mk_i16 0 ==> Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $t) i == mk_i16 0); assert (forall i. Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $a) i <. mk_i16 0 ==> Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $t) i == mk_i16 (-1)) @@ -446,5 +467,6 @@ pub(crate) fn to_unsigned_representative(a: Vec256) -> Vec256 { "# ); - add(a, fm) + add(&mut a, &fm); + a } diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs index 88a4ad563..ed6a08718 100644 --- a/libcrux-ml-kem/src/vector/avx2/compress.rs +++ b/libcrux-ml-kem/src/vector/avx2/compress.rs @@ -23,26 +23,24 @@ fn mulhi_mm256_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { } #[inline(always)] -pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 { +pub(crate) fn compress_message_coefficient(vector: &mut Vec256) { let field_modulus_halved = mm256_set1_epi16((FIELD_MODULUS - 1) / 2); let field_modulus_quartered = mm256_set1_epi16((FIELD_MODULUS - 1) / 4); - let shifted = mm256_sub_epi16(field_modulus_halved, vector); + let shifted = mm256_sub_epi16(field_modulus_halved, *vector); let mask = mm256_srai_epi16::<15>(shifted); let shifted_to_positive = mm256_xor_si256(mask, shifted); let shifted_to_positive_in_range = mm256_sub_epi16(shifted_to_positive, field_modulus_quartered); - mm256_srli_epi16::<15>(shifted_to_positive_in_range) + *vector = mm256_srli_epi16::<15>(shifted_to_positive_in_range); } #[inline(always)] #[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\ v $COEFFICIENT_BITS < bits i32_inttype /\ range (v ((mk_i32 1) <( - vector: Vec256, -) -> Vec256 { +pub(crate) fn compress_ciphertext_coefficient(vector: &mut Vec256) { let field_modulus_halved = mm256_set1_epi32(((FIELD_MODULUS as i32) - 1) / 2); let compression_factor = mm256_set1_epi32(10_321_340); let coefficient_bits_mask = mm256_set1_epi32((1 << COEFFICIENT_BITS) - 1); @@ -50,7 +48,7 @@ pub(crate) fn compress_ciphertext_coefficient( // ---- Compress the first 8 coefficients ---- // Take the bottom 128 bits, i.e. the first 8 16-bit coefficients - let coefficients_low = mm256_castsi256_si128(vector); + let coefficients_low = mm256_castsi256_si128(*vector); // If: // @@ -80,7 +78,7 @@ pub(crate) fn compress_ciphertext_coefficient( // ---- Compress the next 8 coefficients ---- // Take the upper 128 bits, i.e. the next 8 16-bit coefficients - let coefficients_high = mm256_extracti128_si256::<1>(vector); + let coefficients_high = mm256_extracti128_si256::<1>(*vector); let coefficients_high = mm256_cvtepi16_epi32(coefficients_high); let compressed_high = mm256_slli_epi32::<{ COEFFICIENT_BITS }>(coefficients_high); @@ -101,14 +99,14 @@ pub(crate) fn compress_ciphertext_coefficient( // To be in the right order, we need to move the |low|s above in position 2 to // position 1 and the |high|s in position 1 to position 2, and leave the // rest unchanged. - mm256_permute4x64_epi64::<0b11_01_10_00>(compressed) + *vector = mm256_permute4x64_epi64::<0b11_01_10_00>(compressed); } #[inline(always)] #[hax_lib::requires(fstar!(r#"forall i. let x = Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $a) i in (x == mk_i16 0 \/ x == mk_i16 1)"#))] -pub fn decompress_1(a: Vec256) -> Vec256 { - let z = mm256_setzero_si256(); +pub(crate) fn decompress_1(a: Vec256) -> Vec256 { + let mut z = mm256_setzero_si256(); hax_lib::fstar!( r#" @@ -122,26 +120,24 @@ pub fn decompress_1(a: Vec256) -> Vec256 { "# ); - let s = arithmetic::sub(z, a); + arithmetic::sub(&mut z, &a); hax_lib::fstar!( - r#"assert(forall i. Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $s) i == mk_i16 0 \/ - Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $s) i == mk_i16 (-1))"# + r#"assert(forall i. Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $z) i == mk_i16 0 \/ + Seq.index (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $z) i == mk_i16 (-1))"# ); - arithmetic::bitwise_and_with_constant(s, 1665) + bitwise_and_with_constant(z, 1665) } #[inline(always)] #[hax_lib::requires(fstar!(r#"v $COEFFICIENT_BITS >= 0 /\ v $COEFFICIENT_BITS < bits i32_inttype"#))] -pub(crate) fn decompress_ciphertext_coefficient( - vector: Vec256, -) -> Vec256 { +pub(crate) fn decompress_ciphertext_coefficient(vector: &mut Vec256) { let field_modulus = mm256_set1_epi32(FIELD_MODULUS as i32); let two_pow_coefficient_bits = mm256_set1_epi32(1 << COEFFICIENT_BITS); // ---- Compress the first 8 coefficients ---- - let coefficients_low = mm256_castsi256_si128(vector); + let coefficients_low = mm256_castsi256_si128(*vector); let coefficients_low = mm256_cvtepi16_epi32(coefficients_low); let decompressed_low = mm256_mullo_epi32(coefficients_low, field_modulus); @@ -154,7 +150,7 @@ pub(crate) fn decompress_ciphertext_coefficient( let decompressed_low = mm256_srli_epi32::<1>(decompressed_low); // ---- Compress the next 8 coefficients ---- - let coefficients_high = mm256_extracti128_si256::<1>(vector); + let coefficients_high = mm256_extracti128_si256::<1>(*vector); let coefficients_high = mm256_cvtepi16_epi32(coefficients_high); let decompressed_high = mm256_mullo_epi32(coefficients_high, field_modulus); @@ -177,5 +173,5 @@ pub(crate) fn decompress_ciphertext_coefficient( // To be in the right order, we need to move the |low|s above in position 2 to // position 1 and the |high|s in position 1 to position 2, and leave the // rest unchanged. - mm256_permute4x64_epi64::<0b11_01_10_00>(compressed) + *vector = mm256_permute4x64_epi64::<0b11_01_10_00>(compressed); } diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs index bb39a9ab9..446dc5114 100644 --- a/libcrux-ml-kem/src/vector/avx2/ntt.rs +++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs @@ -3,56 +3,54 @@ use super::*; #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))] pub(crate) fn ntt_layer_1_step( - vector: Vec256, + vector: &mut Vec256, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> Vec256 { +) { let zetas = mm256_set_epi16( -zeta3, -zeta3, zeta3, zeta3, -zeta2, -zeta2, zeta2, zeta2, -zeta1, -zeta1, zeta1, zeta1, -zeta0, -zeta0, zeta0, zeta0, ); - let rhs = mm256_shuffle_epi32::<0b11_11_01_01>(vector); + let rhs = mm256_shuffle_epi32::<0b11_11_01_01>(*vector); let rhs = arithmetic::montgomery_multiply_by_constants(rhs, zetas); - let lhs = mm256_shuffle_epi32::<0b10_10_00_00>(vector); + let lhs = mm256_shuffle_epi32::<0b10_10_00_00>(*vector); - mm256_add_epi16(lhs, rhs) + *vector = mm256_add_epi16(lhs, rhs); } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1"#))] -pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { +pub(crate) fn ntt_layer_2_step(vector: &mut Vec256, zeta0: i16, zeta1: i16) { let zetas = mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, zeta0, zeta0, zeta0, zeta0, ); - let rhs = mm256_shuffle_epi32::<0b11_10_11_10>(vector); + let rhs = mm256_shuffle_epi32::<0b11_10_11_10>(*vector); let rhs = arithmetic::montgomery_multiply_by_constants(rhs, zetas); - let lhs = mm256_shuffle_epi32::<0b01_00_01_00>(vector); + let lhs = mm256_shuffle_epi32::<0b01_00_01_00>(*vector); - mm256_add_epi16(lhs, rhs) + *vector = mm256_add_epi16(lhs, rhs); } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta"#))] -pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { - let rhs = mm256_extracti128_si256::<1>(vector); +pub(crate) fn ntt_layer_3_step(vector: &mut Vec256, zeta: i16) { + let rhs = mm256_extracti128_si256::<1>(*vector); let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta)); - let lhs = mm256_castsi256_si128(vector); + let lhs = mm256_castsi256_si128(*vector); let lower_coefficients = mm_add_epi16(lhs, rhs); let upper_coefficients = mm_sub_epi16(lhs, rhs); - let combined = mm256_castsi128_si256(lower_coefficients); - let combined = mm256_inserti128_si256::<1>(combined, upper_coefficients); - - combined + *vector = mm256_castsi128_si256(lower_coefficients); + *vector = mm256_inserti128_si256::<1>(*vector, upper_coefficients); } #[inline(always)] @@ -61,21 +59,21 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (4*3328) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})"#))] pub(crate) fn inv_ntt_layer_1_step( - vector: Vec256, + vector: &mut Vec256, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> Vec256 { - let lhs = mm256_shuffle_epi32::<0b11_11_01_01>(vector); +) { + let lhs = mm256_shuffle_epi32::<0b11_11_01_01>(*vector); - let rhs = mm256_shuffle_epi32::<0b10_10_00_00>(vector); + let rhs = mm256_shuffle_epi32::<0b10_10_00_00>(*vector); let rhs = mm256_mullo_epi16( rhs, mm256_set_epi16(-1, -1, 1, 1, -1, -1, 1, 1, -1, -1, 1, 1, -1, -1, 1, 1), ); - let sum = mm256_add_epi16(lhs, rhs); + let mut sum = mm256_add_epi16(lhs, rhs); let sum_times_zetas = arithmetic::montgomery_multiply_by_constants( sum, mm256_set_epi16( @@ -83,17 +81,17 @@ pub(crate) fn inv_ntt_layer_1_step( ), ); - let sum = arithmetic::barrett_reduce(sum); + arithmetic::barrett_reduce(&mut sum); - mm256_blend_epi16::<0b1_1_0_0_1_1_0_0>(sum, sum_times_zetas) + *vector = mm256_blend_epi16::<0b1_1_0_0_1_1_0_0>(sum, sum_times_zetas); } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1"#))] -pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { - let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector); +pub(crate) fn inv_ntt_layer_2_step(vector: &mut Vec256, zeta0: i16, zeta1: i16) { + let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(*vector); - let rhs = mm256_permute4x64_epi64::<0b10_10_00_00>(vector); + let rhs = mm256_permute4x64_epi64::<0b10_10_00_00>(*vector); let rhs = mm256_mullo_epi16( rhs, mm256_set_epi16(-1, -1, -1, -1, 1, 1, 1, 1, -1, -1, -1, -1, 1, 1, 1, 1), @@ -107,14 +105,14 @@ pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Ve ), ); - mm256_blend_epi16::<0b1_1_1_1_0_0_0_0>(sum, sum_times_zetas) + *vector = mm256_blend_epi16::<0b1_1_1_1_0_0_0_0>(sum, sum_times_zetas); } #[inline(always)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta"#))] -pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { - let lhs = mm256_extracti128_si256::<1>(vector); - let rhs = mm256_castsi256_si128(vector); +pub(crate) fn inv_ntt_layer_3_step(vector: &mut Vec256, zeta: i16) { + let lhs = mm256_extracti128_si256::<1>(*vector); + let rhs = mm256_castsi256_si128(*vector); let lower_coefficients = mm_add_epi16(lhs, rhs); @@ -122,23 +120,22 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let upper_coefficients = arithmetic::montgomery_multiply_m128i_by_constants(upper_coefficients, mm_set1_epi16(zeta)); - let combined = mm256_castsi128_si256(lower_coefficients); - let combined = mm256_inserti128_si256::<1>(combined, upper_coefficients); - - combined + *vector = mm256_castsi128_si256(lower_coefficients); + *vector = mm256_inserti128_si256::<1>(*vector, upper_coefficients); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3"#))] pub(crate) fn ntt_multiply( - lhs: Vec256, - rhs: Vec256, + lhs: &Vec256, + rhs: &Vec256, + out: &mut Vec256, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> Vec256 { +) { // Compute the first term of the product let shuffle_with = mm256_set_epi8( 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, @@ -147,7 +144,7 @@ pub(crate) fn ntt_multiply( const PERMUTE_WITH: i32 = 0b11_01_10_00; // Prepare the left hand side - let lhs_shuffled = mm256_shuffle_epi8(lhs, shuffle_with); + let lhs_shuffled = mm256_shuffle_epi8(*lhs, shuffle_with); let lhs_shuffled = mm256_permute4x64_epi64::<{ PERMUTE_WITH }>(lhs_shuffled); let lhs_evens = mm256_castsi256_si128(lhs_shuffled); @@ -157,7 +154,7 @@ pub(crate) fn ntt_multiply( let lhs_odds = mm256_cvtepi16_epi32(lhs_odds); // Prepare the right hand side - let rhs_shuffled = mm256_shuffle_epi8(rhs, shuffle_with); + let rhs_shuffled = mm256_shuffle_epi8(*rhs, shuffle_with); let rhs_shuffled = mm256_permute4x64_epi64::<{ PERMUTE_WITH }>(rhs_shuffled); let rhs_evens = mm256_castsi256_si128(rhs_shuffled); @@ -190,16 +187,16 @@ pub(crate) fn ntt_multiply( // Compute the second term of the product let rhs_adjacent_swapped = mm256_shuffle_epi8( - rhs, + *rhs, mm256_set_epi8( 13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2, 13, 12, 15, 14, 9, 8, 11, 10, 5, 4, 7, 6, 1, 0, 3, 2, ), ); - let products_right = mm256_madd_epi16(lhs, rhs_adjacent_swapped); + let products_right = mm256_madd_epi16(*lhs, rhs_adjacent_swapped); let products_right = arithmetic::montgomery_reduce_i32s(products_right); let products_right = mm256_slli_epi32::<16>(products_right); // Combine them into one vector - mm256_blend_epi16::<0b1_0_1_0_1_0_1_0>(products_left, products_right) + *out = mm256_blend_epi16::<0b1_0_1_0_1_0_1_0>(products_left, products_right); } diff --git a/libcrux-ml-kem/src/vector/avx2/sampling.rs b/libcrux-ml-kem/src/vector/avx2/sampling.rs index 61cdb21ed..2303c6d26 100644 --- a/libcrux-ml-kem/src/vector/avx2/sampling.rs +++ b/libcrux-ml-kem/src/vector/avx2/sampling.rs @@ -15,7 +15,8 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { // The input bytes can be interpreted as a sequence of serialized // 12-bit (i.e. uncompressed) coefficients. Not all coefficients may be // less than FIELD_MODULUS though. - let potential_coefficients = deserialize_12(input); + let mut potential_coefficients = mm256_setzero_si256(); + deserialize_12(input, &mut potential_coefficients); // Suppose we view |potential_coefficients| as follows (grouping 64-bit elements): // @@ -29,7 +30,8 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { // Since every bit in each lane is either 0 or 1, we only need one bit from // each lane in the register to tell us what coefficients to keep and what // to throw-away. Combine all the bits (there are 16) into two bytes. - let good = serialize_1(compare_with_field_modulus); + let mut good = [0u8; 2]; + serialize_1(&compare_with_field_modulus, &mut good); hax_lib::fstar!( r#"assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256); assert (v (cast (${good}.[ sz 1 ] <: u8) <: usize) < 256); diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index a30936b88..bac28176e 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -4,9 +4,11 @@ use crate::vector::portable::PortableVector; #[inline(always)] #[hax_lib::fstar::verification_status(lax)] #[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")] -#[hax_lib::requires(fstar!(r#"forall i. i % 16 >= 1 ==> vector i == 0"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"#))] -pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { +#[hax_lib::requires(fstar!(r#"forall i. i % 16 >= 1 ==> vector i == 0 /\ Seq.length $out == 2"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 2 /\ + (forall i. bit_vec_of_int_t_array (${out}_future <: t_Array _ (sz 2)) 8 i == + $vector (i * 16))"#))] +pub(crate) fn serialize_1(vector: &Vec256, out: &mut [u8]) { // Suppose |vector| is laid out as follows (superscript number indicates the // corresponding bit is duplicated that many times): // @@ -18,7 +20,7 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // // a₀0¹⁵ b₀0¹⁵ c₀0¹⁵ d₀0¹⁵ | e₀0¹⁵ f₀0¹⁵ g₀0¹⁵ h₀0¹⁵ | ↩ // i₀0¹⁵ j₀0¹⁵ k₀0¹⁵ l₀0¹⁵ | m₀0¹⁵ n₀0¹⁵ o₀0¹⁵ p₀0¹⁵ - let lsb_to_msb = mm256_slli_epi16::<15>(vector); + let lsb_to_msb = mm256_slli_epi16::<15>(*vector); // Get the first 8 16-bit elements ... let low_msbs = mm256_castsi256_si128(lsb_to_msb); @@ -64,29 +66,28 @@ let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in // significant bit from each element and collate them into two bytes. let bits_packed = mm_movemask_epi8(msbs); - let result = [bits_packed as u8, (bits_packed >> 8) as u8]; + out[0] = bits_packed as u8; + out[1] = (bits_packed >> 8) as u8; hax_lib::fstar!( r#" assert (forall (i: nat {i < 8}). get_bit ($bits_packed >>! (mk_i32 8) <: i32) (sz i) == get_bit $bits_packed (sz (i + 8))) "# ); - - result } #[inline(always)] #[hax_lib::requires(bytes.len() == 2)] -#[hax_lib::ensures(|coefficients| fstar!( +#[hax_lib::ensures(|_| fstar!( r#"forall (i:nat{i < 256}). - $coefficients i + ${out}_future i = ( if i % 16 >= 1 then 0 else let j = (i / 16) * 1 + i % 16 in bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 2)) 8 j)) "# ))] #[hax_lib::fstar::before("#restart-solver")] -pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { +pub(crate) fn deserialize_1(bytes: &[u8], out: &mut Vec256) { #[hax_lib::ensures(|coefficients| fstar!( r#"forall (i:nat{i < 256}). $coefficients i @@ -157,7 +158,7 @@ pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { mm256_srli_epi16::<15>(coefficients_in_msb) } - deserialize_1_u8s(bytes[0], bytes[1]) + *out = deserialize_1_u8s(bytes[0], bytes[1]); } /// `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets @@ -177,12 +178,14 @@ fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] #[hax_lib::requires( fstar!( - r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"# + r#"(forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0) /\ Seq.length $out == 8"# ) )] -#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 8 /\ + (forall (i: nat{i < 64}). bit_vec_of_int_t_array (${out}_future <: t_Array _ (sz 8)) 8 i == $vector ((i/4) * 16 + i%4)) + "#))] #[inline(always)] -pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { +pub(crate) fn serialize_4(vector: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; // If |vector| is laid out as follows: @@ -193,7 +196,7 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // as follows: // // 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... - let adjacent_2_combined = mm256_concat_pairs_n(4, vector); + let adjacent_2_combined = mm256_concat_pairs_n(4, *vector); // Recall that |adjacent_2_combined| goes as follows: // @@ -230,17 +233,17 @@ assert (forall (i: nat{i < 64}). $combined i == bit_vec_of_int_t_array serialize "# ); - serialized[0..8].try_into().unwrap() + out.copy_from_slice(&serialized[0..8]); } #[inline(always)] #[hax_lib::requires(bytes.len() == 8)] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 4 then 0 +#[hax_lib::ensures(|_| fstar!(r#"forall (i: nat{i < 256}). + ${out}_future i = (if i % 16 >= 4 then 0 else let j = (i / 16) * 4 + i % 16 in bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 8)) 8 j)"#))] #[hax_lib::fstar::before("#restart-solver")] -pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { +pub(crate) fn deserialize_4(bytes: &[u8], out: &mut Vec256) { #[hax_lib::ensures(|coefficients| fstar!( r#"forall (i:nat{i < 256}). $coefficients i @@ -260,6 +263,7 @@ pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { ))] #[inline(always)] #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + #[allow(clippy::too_many_arguments)] fn deserialize_4_u8s(b0: u8, b1: u8, b2: u8, b3: u8, b4: u8, b5: u8, b6: u8, b7: u8) -> Vec256 { deserialize_4_i16s( b0 as i16, b1 as i16, b2 as i16, b3 as i16, b4 as i16, b5 as i16, b6 as i16, b7 as i16, @@ -285,6 +289,7 @@ pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { ))] #[inline(always)] #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + #[allow(clippy::too_many_arguments)] fn deserialize_4_i16s( b0: i16, b1: i16, @@ -343,13 +348,13 @@ pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) } - deserialize_4_u8s( + *out = deserialize_4_u8s( bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7], - ) + ); } #[inline(always)] -pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { +pub(crate) fn serialize_5(vector: &Vec256, out: &mut [u8]) { let mut serialized = [0u8; 32]; // If |vector| is laid out as follows (superscript number indicates the @@ -365,7 +370,7 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { // 0²²f₄f₃f₂f₁f₀e₄e₃e₂e₁e₀ 0²²h₄h₃h₂h₁h₀g₄g₃g₂g₁g₀ | ↩ // .... let adjacent_2_combined = mm256_madd_epi16( - vector, + *vector, mm256_set_epi16( 1 << 5, 1, @@ -442,7 +447,7 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[5..21], upper_8); - serialized[0..10].try_into().unwrap() + out.copy_from_slice(&serialized[0..10]); } /// We cannot model `mm256_inserti128_si256` on its own: it produces a @@ -463,7 +468,7 @@ fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 { #[inline(always)] #[hax_lib::requires(fstar!(r#"Seq.length bytes == 10"#))] -pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { +pub(crate) fn deserialize_5(bytes: &[u8], out: &mut Vec256) { let coefficients = mm_set_epi8( bytes[9] as i8, bytes[8] as i8, @@ -514,14 +519,15 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { 1 << 11, ), ); - mm256_srli_epi16::<11>(coefficients) + *out = mm256_srli_epi16::<11>(coefficients); } #[inline(always)] #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"#))] -#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"#))] -pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { +#[hax_lib::requires(fstar!(r#"(forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) /\ Seq.length $out == 20"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 20 /\ + (forall (i: nat{i < 160}). bit_vec_of_int_t_array (${out}_future <: t_Array _ (sz 20)) 8 i == vector ((i/10) * 16 + i%10))"#))] +pub(crate) fn serialize_10(vector: &Vec256, out: &mut [u8]) { #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] #[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"#))] #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( @@ -600,22 +606,22 @@ pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { (lower_8, upper_8) } - let (lower_8, upper_8) = serialize_10_vec(vector); + let (lower_8, upper_8) = serialize_10_vec(*vector); let mut serialized = [0u8; 32]; mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); - serialized[0..20].try_into().unwrap() + out.copy_from_slice(&serialized[0..20]); } #[inline(always)] #[hax_lib::requires(fstar!(r#"Seq.length bytes == 20"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 10 then 0 +#[hax_lib::ensures(|_| fstar!(r#"forall (i: nat{i < 256}). + ${out}_future i = (if i % 16 >= 10 then 0 else let j = (i / 16) * 10 + i % 16 in bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 20)) 8 j)"#))] -pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 { +pub(crate) fn deserialize_10(bytes: &[u8], out: &mut Vec256) { #[inline(always)] #[hax_lib::ensures(|coefficients| fstar!(r#" forall (i: nat {i < 256}). @@ -676,34 +682,42 @@ assert_norm(BitVec.Utils.forall256 (fun i -> let lower_coefficients = &bytes[0..16]; let upper_coefficients = &bytes[4..20]; - deserialize_10_vec( + *out = deserialize_10_vec( mm_loadu_si128(lower_coefficients), mm_loadu_si128(upper_coefficients), - ) + ); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { +pub(crate) fn serialize_11(vector: &Vec256, out: &mut [u8]) { let mut array = [0i16; 16]; - mm256_storeu_si256_i16(&mut array, vector); - let input = PortableVector::from_i16_array(&array); - PortableVector::serialize_11(input) + mm256_storeu_si256_i16(&mut array, *vector); + + let mut tmp = PortableVector::ZERO(); + PortableVector::from_i16_array(&array, &mut tmp); + + PortableVector::serialize_11(&tmp, out); } #[inline(always)] #[hax_lib::fstar::verification_status(lax)] -pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { - let output = PortableVector::deserialize_11(bytes); - let array = PortableVector::to_i16_array(output); - mm256_loadu_si256_i16(&array) +pub(crate) fn deserialize_11(bytes: &[u8], out: &mut Vec256) { + let mut tmp = PortableVector::ZERO(); + PortableVector::deserialize_11(bytes, &mut tmp); + + let mut array = [0i16; 16]; + PortableVector::to_i16_array(&tmp, &mut array); + + *out = mm256_loadu_si256_i16(&array); } #[inline(always)] #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"#))] -#[hax_lib::ensures(|r| fstar!(r#"forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"#))] -pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { +#[hax_lib::requires(fstar!(r#"(forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) /\ Seq.length $out == 24"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 24 /\ + (forall (i: nat{i < 192}). bit_vec_of_int_t_array (${out}_future <: t_Array _ (sz 24)) 8 i == vector ((i/12) * 16 + i%12))"#))] +pub(crate) fn serialize_12(vector: &Vec256, out: &mut [u8]) { #[inline(always)] #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] #[hax_lib::requires(fstar!(r#"forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"#))] @@ -742,20 +756,20 @@ pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { } let mut serialized = [0u8; 32]; - let (lower_8, upper_8) = serialize_12_vec(vector); + let (lower_8, upper_8) = serialize_12_vec(*vector); mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); mm_storeu_bytes_si128(&mut serialized[12..28], upper_8); - serialized[0..24].try_into().unwrap() + out.copy_from_slice(&serialized[0..24]); } #[inline(always)] #[hax_lib::requires(fstar!(r#"Seq.length bytes == 24"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 12 then 0 +#[hax_lib::ensures(|_| fstar!(r#"forall (i: nat{i < 256}). + ${out}_future i = (if i % 16 >= 12 then 0 else let j = (i / 16) * 12 + i % 16 in bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 24)) 8 j)"#))] -pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 { +pub(crate) fn deserialize_12(bytes: &[u8], out: &mut Vec256) { #[inline(always)] #[hax_lib::ensures(|coefficients| fstar!(r#" forall (i: nat {i < 256}). @@ -814,5 +828,5 @@ assert_norm(BitVec.Utils.forall256 (fun i -> } let lower_coefficients = mm_loadu_si128(&bytes[0..16]); let upper_coefficients = mm_loadu_si128(&bytes[8..24]); - deserialize_12_vec(lower_coefficients, upper_coefficients) + *out = deserialize_12_vec(lower_coefficients, upper_coefficients); } diff --git a/libcrux-ml-kem/src/vector/neon.rs b/libcrux-ml-kem/src/vector/neon.rs index b264dee94..d885f08cc 100644 --- a/libcrux-ml-kem/src/vector/neon.rs +++ b/libcrux-ml-kem/src/vector/neon.rs @@ -19,7 +19,9 @@ use vector_type::*; #[cfg(hax)] impl crate::vector::traits::Repr for SIMD128Vector { fn repr(&self) -> [i16; 16] { - to_i16_array(self.clone()) + let mut out = [0i16; 16]; + to_i16_array(self, &mut out); + out } } @@ -36,18 +38,18 @@ impl Operations for SIMD128Vector { #[requires(array.len() == 16)] #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))] - fn from_i16_array(array: &[i16]) -> Self { - from_i16_array(array) + fn from_i16_array(array: &[i16], out: &mut Self) { + from_i16_array(array, out) } #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))] - fn to_i16_array(x: Self) -> [i16; 16] { - to_i16_array(x) + fn to_i16_array(x: &Self, out: &mut [i16]) { + to_i16_array(x, out) } #[requires(array.len() >= 32)] - fn from_bytes(array: &[u8]) -> Self { - from_bytes(array) + fn from_bytes(array: &[u8], out: &mut Self) { + from_bytes(array, out) } #[requires(bytes.len() >= 32)] @@ -55,39 +57,51 @@ impl Operations for SIMD128Vector { to_bytes(x, bytes) } - fn add(lhs: Self, rhs: &Self) -> Self { + fn add(lhs: &mut Self, rhs: &Self) { add(lhs, rhs) } - fn sub(lhs: Self, rhs: &Self) -> Self { + fn sub(lhs: &mut Self, rhs: &Self) { sub(lhs, rhs) } - fn multiply_by_constant(v: Self, c: i16) -> Self { + fn negate(vec: &mut Self) { + negate(vec) + } + + fn multiply_by_constant(v: &mut Self, c: i16) { multiply_by_constant(v, c) } + fn bitwise_and_with_constant(v: &mut Self, c: i16) { + bitwise_and_with_constant(v, c) + } + + fn shift_right(v: &mut Self) { + shift_right::<{ SHIFT_BY }>(v) + } + fn to_unsigned_representative(a: Self) -> Self { to_unsigned_representative(a) } - fn cond_subtract_3329(v: Self) -> Self { + fn cond_subtract_3329(v: &mut Self) { cond_subtract_3329(v) } - fn barrett_reduce(v: Self) -> Self { + fn barrett_reduce(v: &mut Self) { barrett_reduce(v) } - fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self { + fn montgomery_multiply_by_constant(v: &mut Self, c: i16) { montgomery_multiply_by_constant(v, c) } - fn compress_1(v: Self) -> Self { + fn compress_1(v: &mut Self) { compress_1(v) } - fn compress(v: Self) -> Self { + fn compress(v: &mut Self) { compress::(v) } @@ -95,91 +109,92 @@ impl Operations for SIMD128Vector { decompress_1(a) } - fn decompress_ciphertext_coefficient(v: Self) -> Self { + fn decompress_ciphertext_coefficient(v: &mut Self) { decompress_ciphertext_coefficient::(v) } - fn ntt_layer_1_step(a: Self, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16) -> Self { + fn ntt_layer_1_step(a: &mut Self, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16) { ntt_layer_1_step(a, zeta1, zeta2, zeta3, zeta4) } - fn ntt_layer_2_step(a: Self, zeta1: i16, zeta2: i16) -> Self { + fn ntt_layer_2_step(a: &mut Self, zeta1: i16, zeta2: i16) { ntt_layer_2_step(a, zeta1, zeta2) } - fn ntt_layer_3_step(a: Self, zeta: i16) -> Self { + fn ntt_layer_3_step(a: &mut Self, zeta: i16) { ntt_layer_3_step(a, zeta) } - fn inv_ntt_layer_1_step(a: Self, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16) -> Self { + fn inv_ntt_layer_1_step(a: &mut Self, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16) { inv_ntt_layer_1_step(a, zeta1, zeta2, zeta3, zeta4) } - fn inv_ntt_layer_2_step(a: Self, zeta1: i16, zeta2: i16) -> Self { + fn inv_ntt_layer_2_step(a: &mut Self, zeta1: i16, zeta2: i16) { inv_ntt_layer_2_step(a, zeta1, zeta2) } - fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self { + fn inv_ntt_layer_3_step(a: &mut Self, zeta: i16) { inv_ntt_layer_3_step(a, zeta) } fn ntt_multiply( lhs: &Self, rhs: &Self, + out: &mut Self, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16, - ) -> Self { - ntt_multiply(lhs, rhs, zeta1, zeta2, zeta3, zeta4) + ) { + ntt_multiply(lhs, rhs, out, zeta1, zeta2, zeta3, zeta4) } - fn serialize_1(a: Self) -> [u8; 2] { - serialize_1(a) + fn serialize_1(a: &Self, out: &mut [u8]) { + serialize_1(a, out) } - fn deserialize_1(a: &[u8]) -> Self { - deserialize_1(a) + fn deserialize_1(a: &[u8], out: &mut Self) { + deserialize_1(a, out) } - fn serialize_4(a: Self) -> [u8; 8] { - serialize_4(a) + fn serialize_4(a: &Self, out: &mut [u8]) { + serialize_4(a, out) } - fn deserialize_4(a: &[u8]) -> Self { - deserialize_4(a) + fn deserialize_4(a: &[u8], out: &mut Self) { + deserialize_4(a, out) } - fn serialize_5(a: Self) -> [u8; 10] { - serialize_5(a) + fn serialize_5(a: &Self, out: &mut [u8]) { + serialize_5(a, out) } - fn deserialize_5(a: &[u8]) -> Self { - deserialize_5(a) + fn deserialize_5(a: &[u8], out: &mut Self) { + deserialize_5(a, out) } - fn serialize_10(a: Self) -> [u8; 20] { - serialize_10(a) + fn serialize_10(a: &Self, out: &mut [u8]) { + serialize_10(a, out) } - fn deserialize_10(a: &[u8]) -> Self { - deserialize_10(a) + fn deserialize_10(a: &[u8], out: &mut Self) { + deserialize_10(a, out) } - fn serialize_11(a: Self) -> [u8; 22] { - serialize_11(a) + fn serialize_11(a: &Self, out: &mut [u8]) { + serialize_11(a, out) } - fn deserialize_11(a: &[u8]) -> Self { - deserialize_11(a) + fn deserialize_11(a: &[u8], out: &mut Self) { + deserialize_11(a, out) } - fn serialize_12(a: Self) -> [u8; 24] { - serialize_12(a) + fn serialize_12(a: &Self, out: &mut [u8]) { + serialize_12(a, out) } - fn deserialize_12(a: &[u8]) -> Self { - deserialize_12(a) + fn deserialize_12(a: &[u8], out: &mut Self) { + deserialize_12(a, out) } fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { diff --git a/libcrux-ml-kem/src/vector/neon/arithmetic.rs b/libcrux-ml-kem/src/vector/neon/arithmetic.rs index be4db2c19..be5915a9f 100644 --- a/libcrux-ml-kem/src/vector/neon/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/neon/arithmetic.rs @@ -3,41 +3,42 @@ use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS}; use libcrux_intrinsics::arm64::*; #[inline(always)] -pub(crate) fn add(mut lhs: SIMD128Vector, rhs: &SIMD128Vector) -> SIMD128Vector { +pub(crate) fn add(lhs: &mut SIMD128Vector, rhs: &SIMD128Vector) { lhs.low = _vaddq_s16(lhs.low, rhs.low); lhs.high = _vaddq_s16(lhs.high, rhs.high); - lhs } #[inline(always)] -pub(crate) fn sub(mut lhs: SIMD128Vector, rhs: &SIMD128Vector) -> SIMD128Vector { +pub(crate) fn sub(lhs: &mut SIMD128Vector, rhs: &SIMD128Vector) { lhs.low = _vsubq_s16(lhs.low, rhs.low); lhs.high = _vsubq_s16(lhs.high, rhs.high); - lhs } #[inline(always)] -pub(crate) fn multiply_by_constant(mut v: SIMD128Vector, c: i16) -> SIMD128Vector { +pub(crate) fn negate(vec: &mut SIMD128Vector) { + vec.low = _vnegq_s16(vec.low); + vec.high = _vnegq_s16(vec.high); +} + +#[inline(always)] +pub(crate) fn multiply_by_constant(v: &mut SIMD128Vector, c: i16) { v.low = _vmulq_n_s16(v.low, c); v.high = _vmulq_n_s16(v.high, c); - v } #[inline(always)] -pub(crate) fn bitwise_and_with_constant(mut v: SIMD128Vector, c: i16) -> SIMD128Vector { +pub(crate) fn bitwise_and_with_constant(v: &mut SIMD128Vector, c: i16) { let c = _vdupq_n_s16(c); v.low = _vandq_s16(v.low, c); v.high = _vandq_s16(v.high, c); - v } #[inline(always)] -pub(crate) fn shift_right(mut v: SIMD128Vector) -> SIMD128Vector { +pub(crate) fn shift_right(v: &mut SIMD128Vector) { // Should find special cases of this // e.g when doing a right shift just to propagate signed bits, use vclezq_s32 instead v.low = _vshrq_n_s16::(v.low); v.high = _vshrq_n_s16::(v.high); - v } // #[inline(always)] @@ -48,7 +49,7 @@ pub(crate) fn shift_right(mut v: SIMD128Vector) -> SIMD128V // } #[inline(always)] -pub(crate) fn cond_subtract_3329(mut v: SIMD128Vector) -> SIMD128Vector { +pub(crate) fn cond_subtract_3329(v: &mut SIMD128Vector) { let c = _vdupq_n_s16(3329); let m0 = _vcgeq_s16(v.low, c); let m1 = _vcgeq_s16(v.high, c); @@ -56,7 +57,6 @@ pub(crate) fn cond_subtract_3329(mut v: SIMD128Vector) -> SIMD128Vector { let c1 = _vandq_s16(c, _vreinterpretq_s16_u16(m1)); v.low = _vsubq_s16(v.low, c0); v.high = _vsubq_s16(v.high, c1); - v } const BARRETT_MULTIPLIER: i16 = 20159; @@ -77,7 +77,7 @@ pub(crate) fn barrett_reduce_int16x8_t(v: _int16x8_t) -> _int16x8_t { } #[inline(always)] -pub(crate) fn barrett_reduce(mut v: SIMD128Vector) -> SIMD128Vector { +pub(crate) fn barrett_reduce(v: &mut SIMD128Vector) { //let pv = crate::simd::portable::from_i16_array(to_i16_array(v)); //from_i16_array(crate::simd::portable::to_i16_array(crate::simd::portable::barrett_reduce(pv))) @@ -88,7 +88,6 @@ pub(crate) fn barrett_reduce(mut v: SIMD128Vector) -> SIMD128Vector { v.low = barrett_reduce_int16x8_t(v.low); v.high = barrett_reduce_int16x8_t(v.high); - v } #[inline(always)] @@ -138,15 +137,16 @@ pub(crate) fn montgomery_multiply_int16x8_t(v: _int16x8_t, c: _int16x8_t) -> _in } #[inline(always)] -pub(crate) fn montgomery_multiply_by_constant(mut v: SIMD128Vector, c: i16) -> SIMD128Vector { +pub(crate) fn montgomery_multiply_by_constant(v: &mut SIMD128Vector, c: i16) { v.low = montgomery_multiply_by_constant_int16x8_t(v.low, c); v.high = montgomery_multiply_by_constant_int16x8_t(v.high, c); - v } #[inline(always)] -pub(crate) fn to_unsigned_representative(a: SIMD128Vector) -> SIMD128Vector { - let t = shift_right::<15>(a); - let fm = bitwise_and_with_constant(t, FIELD_MODULUS); - add(a, &fm) +pub(crate) fn to_unsigned_representative(mut a: SIMD128Vector) -> SIMD128Vector { + let mut t = a.clone(); + shift_right::<15>(&mut t); + bitwise_and_with_constant(&mut t, FIELD_MODULUS); + add(&mut a, &t); + a } diff --git a/libcrux-ml-kem/src/vector/neon/compress.rs b/libcrux-ml-kem/src/vector/neon/compress.rs index cf8ba8955..8d5fe7eae 100644 --- a/libcrux-ml-kem/src/vector/neon/compress.rs +++ b/libcrux-ml-kem/src/vector/neon/compress.rs @@ -3,7 +3,7 @@ use crate::vector::FIELD_MODULUS; use libcrux_intrinsics::arm64::*; #[inline(always)] -pub(crate) fn compress_1(mut v: SIMD128Vector) -> SIMD128Vector { +pub(crate) fn compress_1(v: &mut SIMD128Vector) { // This is what we are trying to do in portable: // let shifted: i16 = 1664 - (fe as i16); // let mask = shifted >> 15; @@ -29,8 +29,6 @@ pub(crate) fn compress_1(mut v: SIMD128Vector) -> SIMD128Vector { v.high = _vreinterpretq_s16_u16(_vshrq_n_u16::<15>(_vreinterpretq_u16_s16( shifted_positive_in_range, ))); - - v } #[inline(always)] @@ -64,7 +62,7 @@ fn compress_int32x4_t(v: _uint32x4_t) -> _uint32x4_ } #[inline(always)] -pub(crate) fn compress(mut v: SIMD128Vector) -> SIMD128Vector { +pub(crate) fn compress(v: &mut SIMD128Vector) { // This is what we are trying to do in portable: // let mut compressed = (fe as u64) << coefficient_bits; // compressed += 1664 as u64; @@ -90,7 +88,6 @@ pub(crate) fn compress(mut v: SIMD128Vector) -> SIM v.low = _vandq_s16(low, mask); v.high = _vandq_s16(high, mask); - v } #[inline(always)] @@ -104,16 +101,17 @@ fn decompress_uint32x4_t(v: _uint32x4_t) -> _uint32 } #[inline(always)] -pub fn decompress_1(a: SIMD128Vector) -> SIMD128Vector { - let z = ZERO(); - let s = super::arithmetic::sub(z, &a); - super::arithmetic::bitwise_and_with_constant(s, 1665) +pub(crate) fn decompress_1(a: SIMD128Vector) -> SIMD128Vector { + let mut z = ZERO(); + super::arithmetic::sub(&mut z, &a); + super::arithmetic::bitwise_and_with_constant(&mut z, 1665); + z } #[inline(always)] pub(crate) fn decompress_ciphertext_coefficient( - mut v: SIMD128Vector, -) -> SIMD128Vector { + v: &mut SIMD128Vector, +) { let mask16 = _vdupq_n_u32(0xffff); let low0 = _vandq_u32(_vreinterpretq_u32_s16(v.low), mask16); let low1 = _vshrq_n_u32::<16>(_vreinterpretq_u32_s16(v.low)); @@ -127,5 +125,4 @@ pub(crate) fn decompress_ciphertext_coefficient( v.low = _vtrn1q_s16(_vreinterpretq_s16_u32(low0), _vreinterpretq_s16_u32(low1)); v.high = _vtrn1q_s16(_vreinterpretq_s16_u32(high0), _vreinterpretq_s16_u32(high1)); - v } diff --git a/libcrux-ml-kem/src/vector/neon/ntt.rs b/libcrux-ml-kem/src/vector/neon/ntt.rs index 9919965ab..d0d8353a1 100644 --- a/libcrux-ml-kem/src/vector/neon/ntt.rs +++ b/libcrux-ml-kem/src/vector/neon/ntt.rs @@ -4,12 +4,12 @@ use libcrux_intrinsics::arm64::*; #[inline(always)] pub(crate) fn ntt_layer_1_step( - mut v: SIMD128Vector, + v: &mut SIMD128Vector, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16, -) -> SIMD128Vector { +) { // This is what we are trying to do, pointwise for every pair of elements: // let t = simd::Vector::montgomery_multiply_fe_by_fer(b, zeta_r); // b = simd::Vector::sub(a, &t); @@ -37,11 +37,10 @@ pub(crate) fn ntt_layer_1_step( _vreinterpretq_s32_s16(a), _vreinterpretq_s32_s16(b), )); - v } #[inline(always)] -pub(crate) fn ntt_layer_2_step(mut v: SIMD128Vector, zeta1: i16, zeta2: i16) -> SIMD128Vector { +pub(crate) fn ntt_layer_2_step(v: &mut SIMD128Vector, zeta1: i16, zeta2: i16) { // This is what we are trying to do for every four elements: // let t = simd::Vector::montgomery_multiply_fe_by_fer(b, zeta_r); // b = simd::Vector::sub(a, &t); @@ -69,11 +68,10 @@ pub(crate) fn ntt_layer_2_step(mut v: SIMD128Vector, zeta1: i16, zeta2: i16) -> _vreinterpretq_s64_s16(a), _vreinterpretq_s64_s16(b), )); - v } #[inline(always)] -pub(crate) fn ntt_layer_3_step(mut v: SIMD128Vector, zeta: i16) -> SIMD128Vector { +pub(crate) fn ntt_layer_3_step(v: &mut SIMD128Vector, zeta: i16) { // This is what we are trying to do for every four elements: // let t = simd::Vector::montgomery_multiply_fe_by_fer(b, zeta_r); // b = simd::Vector::sub(a, &t); @@ -83,17 +81,16 @@ pub(crate) fn ntt_layer_3_step(mut v: SIMD128Vector, zeta: i16) -> SIMD128Vector let t = montgomery_multiply_int16x8_t(v.high, zeta); v.high = _vsubq_s16(v.low, t); v.low = _vaddq_s16(v.low, t); - v } #[inline(always)] pub(crate) fn inv_ntt_layer_1_step( - mut v: SIMD128Vector, + v: &mut SIMD128Vector, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16, -) -> SIMD128Vector { +) { // This is what we are trying to do for every two elements: //let a_minus_b = simd::Vector::sub(b, &a); //a = simd::Vector::add(a, &b); @@ -125,11 +122,10 @@ pub(crate) fn inv_ntt_layer_1_step( _vreinterpretq_s32_s16(a), _vreinterpretq_s32_s16(b), )); - v } #[inline(always)] -pub(crate) fn inv_ntt_layer_2_step(mut v: SIMD128Vector, zeta1: i16, zeta2: i16) -> SIMD128Vector { +pub(crate) fn inv_ntt_layer_2_step(v: &mut SIMD128Vector, zeta1: i16, zeta2: i16) { // This is what we are trying to do for every four elements: //let a_minus_b = simd::Vector::sub(b, &a); //a = simd::Vector::add(a, &b); @@ -160,11 +156,10 @@ pub(crate) fn inv_ntt_layer_2_step(mut v: SIMD128Vector, zeta1: i16, zeta2: i16) _vreinterpretq_s64_s16(a), _vreinterpretq_s64_s16(b), )); - v } #[inline(always)] -pub(crate) fn inv_ntt_layer_3_step(mut v: SIMD128Vector, zeta: i16) -> SIMD128Vector { +pub(crate) fn inv_ntt_layer_3_step(v: &mut SIMD128Vector, zeta: i16) { // This is what we are trying to do for every four elements: //let a_minus_b = simd::Vector::sub(b, &a); //a = simd::Vector::add(a, &b); @@ -173,20 +168,21 @@ pub(crate) fn inv_ntt_layer_3_step(mut v: SIMD128Vector, zeta: i16) -> SIMD128Ve let zeta = _vdupq_n_s16(zeta); let b_minus_a = _vsubq_s16(v.high, v.low); + v.low = _vaddq_s16(v.low, v.high); v.high = montgomery_multiply_int16x8_t(b_minus_a, zeta); - v } #[inline(always)] pub(crate) fn ntt_multiply( lhs: &SIMD128Vector, rhs: &SIMD128Vector, + out: &mut SIMD128Vector, zeta1: i16, zeta2: i16, zeta3: i16, zeta4: i16, -) -> SIMD128Vector { +) { // This is what we are trying to do for pairs of two elements: // montgomery_reduce(a0 * b0 + montgomery_reduce(a1 * b1) * zeta), // montgomery_reduce(a0 * b1 + a1 * b0) @@ -234,11 +230,6 @@ pub(crate) fn ntt_multiply( let indexes: [u8; 16] = [0, 1, 2, 3, 8, 9, 10, 11, 4, 5, 6, 7, 12, 13, 14, 15]; let index = _vld1q_u8(&indexes); - let low2 = _vreinterpretq_s16_u8(_vqtbl1q_u8(_vreinterpretq_u8_s16(low1), index)); - let high2 = _vreinterpretq_s16_u8(_vqtbl1q_u8(_vreinterpretq_u8_s16(high1), index)); - - SIMD128Vector { - low: low2, - high: high2, - } + out.low = _vreinterpretq_s16_u8(_vqtbl1q_u8(_vreinterpretq_u8_s16(low1), index)); + out.high = _vreinterpretq_s16_u8(_vqtbl1q_u8(_vreinterpretq_u8_s16(high1), index)); } diff --git a/libcrux-ml-kem/src/vector/neon/serialize.rs b/libcrux-ml-kem/src/vector/neon/serialize.rs index 231215b30..32006c602 100644 --- a/libcrux-ml-kem/src/vector/neon/serialize.rs +++ b/libcrux-ml-kem/src/vector/neon/serialize.rs @@ -3,18 +3,19 @@ use crate::vector::portable::PortableVector; use libcrux_intrinsics::arm64::*; #[inline(always)] -pub(crate) fn serialize_1(v: SIMD128Vector) -> [u8; 2] { +pub(crate) fn serialize_1(v: &SIMD128Vector, out: &mut [u8]) { + debug_assert!(out.len() == 2); + let shifter: [i16; 8] = [0, 1, 2, 3, 4, 5, 6, 7]; let shift = _vld1q_s16(&shifter); let low = _vshlq_s16(v.low, shift); let high = _vshlq_s16(v.high, shift); - let low = _vaddvq_s16(low); - let high = _vaddvq_s16(high); - [low as u8, high as u8] + out[0] = _vaddvq_s16(low) as u8; + out[1] = _vaddvq_s16(high) as u8; } #[inline(always)] -pub(crate) fn deserialize_1(a: &[u8]) -> SIMD128Vector { +pub(crate) fn deserialize_1(a: &[u8], out: &mut SIMD128Vector) { let one = _vdupq_n_s16(1); let low = _vdupq_n_s16(a[0] as i16); let high = _vdupq_n_s16(a[1] as i16); @@ -22,14 +23,15 @@ pub(crate) fn deserialize_1(a: &[u8]) -> SIMD128Vector { let shift = _vld1q_s16(&shifter); let low = _vshlq_s16(low, shift); let high = _vshlq_s16(high, shift); - SIMD128Vector { - low: _vandq_s16(low, one), - high: _vandq_s16(high, one), - } + + out.low = _vandq_s16(low, one); + out.high = _vandq_s16(high, one); } #[inline(always)] -pub(crate) fn serialize_4(v: SIMD128Vector) -> [u8; 8] { +pub(crate) fn serialize_4(v: &SIMD128Vector, out: &mut [u8]) { + debug_assert!(out.len() == 8); + let shifter: [i16; 8] = [0, 4, 8, 12, 0, 4, 8, 12]; let shift = _vld1q_s16(&shifter); let lowt = _vshlq_u16(_vreinterpretq_u16_s16(v.low), shift); @@ -39,38 +41,51 @@ pub(crate) fn serialize_4(v: SIMD128Vector) -> [u8; 8] { let sum2 = _vaddv_u16(_vget_low_u16(hight)) as u64; let sum3 = _vaddv_u16(_vget_high_u16(hight)) as u64; let sum = sum0 | (sum1 << 16) | (sum2 << 32) | (sum3 << 48); - sum.to_le_bytes() + + out.copy_from_slice(&sum.to_le_bytes()); } #[inline(always)] -pub(crate) fn deserialize_4(v: &[u8]) -> SIMD128Vector { - let input = PortableVector::deserialize_4(v); - let input_i16s = PortableVector::to_i16_array(input); - SIMD128Vector { - low: _vld1q_s16(&input_i16s[0..8]), - high: _vld1q_s16(&input_i16s[8..16]), - } +pub(crate) fn deserialize_4(v: &[u8], out: &mut SIMD128Vector) { + let mut tmp = PortableVector::ZERO(); + PortableVector::deserialize_4(v, &mut tmp); + + let mut input_i16s = [0i16; 16]; + PortableVector::to_i16_array(&tmp, &mut input_i16s); + + out.low = _vld1q_s16(&input_i16s[0..8]); + out.high = _vld1q_s16(&input_i16s[8..16]); } #[inline(always)] -pub(crate) fn serialize_5(v: SIMD128Vector) -> [u8; 10] { - let out_i16s = to_i16_array(v); - let out = PortableVector::from_i16_array(&out_i16s); - PortableVector::serialize_5(out) +pub(crate) fn serialize_5(v: &SIMD128Vector, out: &mut [u8]) { + debug_assert!(out.len() == 10); + + let mut out_i16s = [0i16; 16]; + to_i16_array(&v, &mut out_i16s); + + let mut tmp = PortableVector::ZERO(); + PortableVector::from_i16_array(&out_i16s, &mut tmp); + + PortableVector::serialize_5(&tmp, out); } #[inline(always)] -pub(crate) fn deserialize_5(v: &[u8]) -> SIMD128Vector { - let output = PortableVector::deserialize_5(v); - let array = PortableVector::to_i16_array(output); - SIMD128Vector { - low: _vld1q_s16(&array[0..8]), - high: _vld1q_s16(&array[8..16]), - } +pub(crate) fn deserialize_5(v: &[u8], out: &mut SIMD128Vector) { + let mut tmp = PortableVector::ZERO(); + PortableVector::deserialize_5(v, &mut tmp); + + let mut input_i16s = [0i16; 16]; + PortableVector::to_i16_array(&tmp, &mut input_i16s); + + out.low = _vld1q_s16(&input_i16s[0..8]); + out.high = _vld1q_s16(&input_i16s[8..16]); } #[inline(always)] -pub(crate) fn serialize_10(v: SIMD128Vector) -> [u8; 20] { +pub(crate) fn serialize_10(v: &SIMD128Vector, out: &mut [u8]) { + debug_assert!(out.len() == 20); + let low0 = _vreinterpretq_s32_s16(_vtrn1q_s16(v.low, v.low)); // a0, a0, a2, a2, a4, a4, a6, a6 let low1 = _vreinterpretq_s32_s16(_vtrn2q_s16(v.low, v.low)); // a1, a1, a3, a3, a5, a5, a7, a7 let mixt = _vsliq_n_s32::<10>(low0, low1); // a1a0, a3a2, a5a4, a7a6 @@ -90,43 +105,54 @@ pub(crate) fn serialize_10(v: SIMD128Vector) -> [u8; 20] { let mut result32 = [0u8; 32]; _vst1q_u8(&mut result32[0..16], _vreinterpretq_u8_s64(low_mix)); _vst1q_u8(&mut result32[16..32], _vreinterpretq_u8_s64(high_mix)); - let mut result = [0u8; 20]; - result[0..5].copy_from_slice(&result32[0..5]); - result[5..10].copy_from_slice(&result32[8..13]); - result[10..15].copy_from_slice(&result32[16..21]); - result[15..20].copy_from_slice(&result32[24..29]); - result + + out[0..5].copy_from_slice(&result32[0..5]); + out[5..10].copy_from_slice(&result32[8..13]); + out[10..15].copy_from_slice(&result32[16..21]); + out[15..20].copy_from_slice(&result32[24..29]); } #[inline(always)] -pub(crate) fn deserialize_10(v: &[u8]) -> SIMD128Vector { - let output = PortableVector::deserialize_10(v); - let array = PortableVector::to_i16_array(output); - SIMD128Vector { - low: _vld1q_s16(&array[0..8]), - high: _vld1q_s16(&array[8..16]), - } +pub(crate) fn deserialize_10(v: &[u8], out: &mut SIMD128Vector) { + let mut tmp = PortableVector::ZERO(); + PortableVector::deserialize_10(v, &mut tmp); + + let mut input_i16s = [0i16; 16]; + PortableVector::to_i16_array(&tmp, &mut input_i16s); + + out.low = _vld1q_s16(&input_i16s[0..8]); + out.high = _vld1q_s16(&input_i16s[8..16]); } #[inline(always)] -pub(crate) fn serialize_11(v: SIMD128Vector) -> [u8; 22] { - let out_i16s = to_i16_array(v); - let out = PortableVector::from_i16_array(&out_i16s); - PortableVector::serialize_11(out) +pub(crate) fn serialize_11(v: &SIMD128Vector, out: &mut [u8]) { + debug_assert!(out.len() == 22); + + let mut out_i16s = [0i16; 16]; + to_i16_array(&v, &mut out_i16s); + + let mut tmp = PortableVector::ZERO(); + PortableVector::from_i16_array(&out_i16s, &mut tmp); + + PortableVector::serialize_11(&tmp, out); } #[inline(always)] -pub(crate) fn deserialize_11(v: &[u8]) -> SIMD128Vector { - let output = PortableVector::deserialize_11(v); - let array = PortableVector::to_i16_array(output); - SIMD128Vector { - low: _vld1q_s16(&array[0..8]), - high: _vld1q_s16(&array[8..16]), - } +pub(crate) fn deserialize_11(v: &[u8], out: &mut SIMD128Vector) { + let mut tmp = PortableVector::ZERO(); + PortableVector::deserialize_11(v, &mut tmp); + + let mut input_i16s = [0i16; 16]; + PortableVector::to_i16_array(&tmp, &mut input_i16s); + + out.low = _vld1q_s16(&input_i16s[0..8]); + out.high = _vld1q_s16(&input_i16s[8..16]); } #[inline(always)] -pub(crate) fn serialize_12(v: SIMD128Vector) -> [u8; 24] { +pub(crate) fn serialize_12(v: &SIMD128Vector, out: &mut [u8]) { + debug_assert!(out.len() == 24); + let low0 = _vreinterpretq_s32_s16(_vtrn1q_s16(v.low, v.low)); // a0, a0, a2, a2, a4, a4, a6, a6 let low1 = _vreinterpretq_s32_s16(_vtrn2q_s16(v.low, v.low)); // a1, a1, a3, a3, a5, a5, a7, a7 let mixt = _vsliq_n_s32::<12>(low0, low1); // a1a0, a3a2, a5a4, a7a6 @@ -146,16 +172,15 @@ pub(crate) fn serialize_12(v: SIMD128Vector) -> [u8; 24] { let mut result32 = [0u8; 32]; _vst1q_u8(&mut result32[0..16], _vreinterpretq_u8_s64(low_mix)); _vst1q_u8(&mut result32[16..32], _vreinterpretq_u8_s64(high_mix)); - let mut result = [0u8; 24]; - result[0..6].copy_from_slice(&result32[0..6]); - result[6..12].copy_from_slice(&result32[8..14]); - result[12..18].copy_from_slice(&result32[16..22]); - result[18..24].copy_from_slice(&result32[24..30]); - result + + out[0..6].copy_from_slice(&result32[0..6]); + out[6..12].copy_from_slice(&result32[8..14]); + out[12..18].copy_from_slice(&result32[16..22]); + out[18..24].copy_from_slice(&result32[24..30]); } #[inline(always)] -pub(crate) fn deserialize_12(v: &[u8]) -> SIMD128Vector { +pub(crate) fn deserialize_12(v: &[u8], out: &mut SIMD128Vector) { let indexes: [u8; 16] = [0, 1, 1, 2, 3, 4, 4, 5, 6, 7, 7, 8, 9, 10, 10, 11]; let index_vec = _vld1q_u8(&indexes); let shifts: [i16; 8] = [0, -4, 0, -4, 0, -4, 0, -4]; @@ -172,11 +197,9 @@ pub(crate) fn deserialize_12(v: &[u8]) -> SIMD128Vector { let moved0 = _vreinterpretq_u16_u8(_vqtbl1q_u8(input_vec0, index_vec)); let shifted0 = _vshlq_u16(moved0, shift_vec); - let low = _vreinterpretq_s16_u16(_vandq_u16(shifted0, mask12)); + out.low = _vreinterpretq_s16_u16(_vandq_u16(shifted0, mask12)); let moved1 = _vreinterpretq_u16_u8(_vqtbl1q_u8(input_vec1, index_vec)); let shifted1 = _vshlq_u16(moved1, shift_vec); - let high = _vreinterpretq_s16_u16(_vandq_u16(shifted1, mask12)); - - SIMD128Vector { low, high } + out.high = _vreinterpretq_s16_u16(_vandq_u16(shifted1, mask12)); } diff --git a/libcrux-ml-kem/src/vector/neon/vector_type.rs b/libcrux-ml-kem/src/vector/neon/vector_type.rs index 085aaca6f..a5c408b8a 100644 --- a/libcrux-ml-kem/src/vector/neon/vector_type.rs +++ b/libcrux-ml-kem/src/vector/neon/vector_type.rs @@ -8,21 +8,19 @@ pub struct SIMD128Vector { } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] -pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { - let mut out = [0i16; 16]; +#[hax_lib::ensures(|_| fstar!("${out}_future == repr ${v}"))] +pub(crate) fn to_i16_array(v: &SIMD128Vector, out: &mut [i16]) { + debug_assert!(out.len() >= 16); + _vst1q_s16(&mut out[0..8], v.low); _vst1q_s16(&mut out[8..16], v.high); - out } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == $array"))] -pub(crate) fn from_i16_array(array: &[i16]) -> SIMD128Vector { - SIMD128Vector { - low: _vld1q_s16(&array[0..8]), - high: _vld1q_s16(&array[8..16]), - } +#[hax_lib::ensures(|_| fstar!("repr ${out}_future == $array"))] +pub(crate) fn from_i16_array(array: &[i16], out: &mut SIMD128Vector) { + out.low = _vld1q_s16(&array[0..8]); + out.high = _vld1q_s16(&array[8..16]); } #[inline(always)] @@ -32,11 +30,9 @@ pub(crate) fn to_bytes(v: SIMD128Vector, bytes: &mut [u8]) { } #[inline(always)] -pub(crate) fn from_bytes(array: &[u8]) -> SIMD128Vector { - SIMD128Vector { - low: _vld1q_bytes(&array[0..16]), - high: _vld1q_bytes(&array[16..32]), - } +pub(crate) fn from_bytes(array: &[u8], out: &mut SIMD128Vector) { + out.low = _vld1q_bytes(&array[0..16]); + out.high = _vld1q_bytes(&array[16..32]); } #[allow(non_snake_case)] diff --git a/libcrux-ml-kem/src/vector/portable.rs b/libcrux-ml-kem/src/vector/portable.rs index 5e8d6fd6d..d0ffaa701 100644 --- a/libcrux-ml-kem/src/vector/portable.rs +++ b/libcrux-ml-kem/src/vector/portable.rs @@ -19,92 +19,105 @@ pub(crate) use vector_type::PortableVector; #[cfg(hax)] impl crate::vector::traits::Repr for PortableVector { fn repr(&self) -> [i16; 16] { - to_i16_array(self.clone()) + let mut out = [0i16; 16]; + to_i16_array(self, &mut out); + out } } #[cfg(any(eurydice, not(hax)))] impl crate::vector::traits::Repr for PortableVector {} -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"#))] -fn serialize_1(a: PortableVector) -> [u8; 2] { +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) /\ Seq.length $out == 2"#))] +#[hax_lib::ensures(|out| fstar!(r#"Seq.length ${out}_future == 2 /\ + (Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 1 (impl.f_repr $a) ${out}_future)"#))] +fn serialize_1(a: &PortableVector, out: &mut [u8]) { hax_lib::fstar!( r#"assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)"# ); - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a"#); - serialize::serialize_1(a).declassify() + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a $out"#); + serialize::serialize_1(a, out) } #[hax_lib::requires(a.len() == 2)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"#))] -fn deserialize_1(a: &[u8]) -> PortableVector { - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a"#); - serialize::deserialize_1(a.classify_ref()) +#[hax_lib::ensures(|_| fstar!(r#"Seq.length $a == 2 ==> + Spec.MLKEM.deserialize_post 1 $a (impl.f_repr ${out}_future)"#))] +fn deserialize_1(a: &[u8], out: &mut PortableVector) { + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a $out"#); + serialize::deserialize_1(a.classify_ref(), out) } -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"#))] -fn serialize_4(a: PortableVector) -> [u8; 8] { +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) /\ Seq.length $out == 8"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 8 /\ + (Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 4 (impl.f_repr $a) ${out}_future)"#))] +fn serialize_4(a: &PortableVector, out: &mut [u8]) { hax_lib::fstar!( r#"assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)"# ); - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a"#); - serialize::serialize_4(a).declassify() + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a $out"#); + serialize::serialize_4(a, out) } #[hax_lib::requires(a.len() == 8)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"#))] -fn deserialize_4(a: &[u8]) -> PortableVector { - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a"#); - serialize::deserialize_4(a.classify_ref()) +#[hax_lib::ensures(|out| fstar!(r#"Seq.length $a == 8 ==> + Spec.MLKEM.deserialize_post 4 $a (impl.f_repr ${out}_future)"#))] +fn deserialize_4(a: &[u8], out: &mut PortableVector) { + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a $out"#); + serialize::deserialize_4(a.classify_ref(), out) } -fn serialize_5(a: PortableVector) -> [u8; 10] { - serialize::serialize_5(a).declassify() +fn serialize_5(a: &PortableVector, out: &mut [u8]) { + serialize::serialize_5(a, out) } #[hax_lib::requires(a.len() == 10)] -fn deserialize_5(a: &[u8]) -> PortableVector { - serialize::deserialize_5(a.classify_ref()) +fn deserialize_5(a: &[u8], out: &mut PortableVector) { + serialize::deserialize_5(a.classify_ref(), out) } -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"#))] -fn serialize_10(a: PortableVector) -> [u8; 20] { - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a"#); - serialize::serialize_10(a).declassify() +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) /\ Seq.length $out == 20"#))] +#[hax_lib::ensures(|_| fstar!(r#"Seq.length ${out}_future == 20 /\ + (Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 10 (impl.f_repr $a) ${out}_future)"#))] +fn serialize_10(a: &PortableVector, out: &mut [u8]) { + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a $out"#); + serialize::serialize_10(a, out) } #[hax_lib::requires(a.len() == 20)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"#))] -fn deserialize_10(a: &[u8]) -> PortableVector { - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a"#); - serialize::deserialize_10(a.classify_ref()) +#[hax_lib::ensures(|_| fstar!(r#"Seq.length $a == 20 ==> + Spec.MLKEM.deserialize_post 10 $a (impl.f_repr ${out}_future)"#))] +fn deserialize_10(a: &[u8], out: &mut PortableVector) { + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a $out"#); + serialize::deserialize_10(a.classify_ref(), out) } -fn serialize_11(a: PortableVector) -> [u8; 22] { - serialize::serialize_11(a).declassify() +fn serialize_11(a: &PortableVector, out: &mut [u8]) { + serialize::serialize_11(a, out) } #[hax_lib::requires(a.len() == 22)] -fn deserialize_11(a: &[u8]) -> PortableVector { - serialize::deserialize_11(a.classify_ref()) +fn deserialize_11(a: &[u8], out: &mut PortableVector) { + serialize::deserialize_11(a.classify_ref(), out) } -#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"#))] -#[hax_lib::ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"#))] -fn serialize_12(a: PortableVector) -> [u8; 24] { - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a"#); - serialize::serialize_12(a).declassify() +#[hax_lib::requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) /\ Seq.length $out == 24"#))] +#[hax_lib::ensures(|out| fstar!(r#"Seq.length ${out}_future == 24 /\ + (Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 12 (impl.f_repr $a) ${out}_future)"#))] +fn serialize_12(a: &PortableVector, out: &mut [u8]) { + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a $out"#); + serialize::serialize_12(a, out) } #[hax_lib::requires(a.len() == 24)] -#[hax_lib::ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"#))] -fn deserialize_12(a: &[u8]) -> PortableVector { - hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a"#); - serialize::deserialize_12(a.classify_ref()) +#[hax_lib::ensures(|out| fstar!(r#"Seq.length $a == 24 ==> + Spec.MLKEM.deserialize_post 12 $a (impl.f_repr ${out}_future)"#))] +fn deserialize_12(a: &[u8], out: &mut PortableVector) { + hax_lib::fstar!(r#"Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a $out"#); + serialize::deserialize_12(a.classify_ref(), out) } #[hax_lib::fstar::before(r#"#push-options "--z3rlimit 400 --split_queries always""#)] @@ -117,19 +130,20 @@ impl Operations for PortableVector { } #[requires(array.len() == 16)] - #[ensures(|out| fstar!(r#"impl.f_repr out == $array"#))] - fn from_i16_array(array: &[i16]) -> Self { - from_i16_array(array.classify_ref()) + #[ensures(|_| fstar!(r#"impl.f_repr ${out}_future == $array"#))] + fn from_i16_array(array: &[i16], out: &mut Self) { + from_i16_array(array.classify_ref(), out) } - #[ensures(|out| fstar!(r#"out == impl.f_repr $x"#))] - fn to_i16_array(x: Self) -> [i16; 16] { - to_i16_array(x).declassify() + #[requires(out.len() == 16)] + #[ensures(|_| fstar!(r#"${out}_future == impl.f_repr $x"#))] + fn to_i16_array(x: &Self, out: &mut [i16]) { + to_i16_array(x, out) } #[requires(array.len() >= 32)] - fn from_bytes(array: &[u8]) -> Self { - from_bytes(array.classify_ref()) + fn from_bytes(array: &[u8], out: &mut Self) { + from_bytes(array.classify_ref(), out) } #[requires(bytes.len() >= 32)] @@ -145,51 +159,75 @@ impl Operations for PortableVector { #[requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == + #[ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${lhs}_future.f_elements i) == v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))] - fn add(lhs: Self, rhs: &Self) -> Self { + fn add(lhs: &mut Self, rhs: &Self) { + hax_lib::fstar!( + r#"reveal_opaque (`%Libcrux_ml_kem.Vector.Traits.Spec.add_post) (Libcrux_ml_kem.Vector.Traits.Spec.add_post)"# + ); add(lhs, rhs) } #[requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == + #[ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${lhs}_future.f_elements i) == v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))] - fn sub(lhs: Self, rhs: &Self) -> Self { + fn sub(lhs: &mut Self, rhs: &Self) { sub(lhs, rhs) } + #[requires(fstar!(r#"forall i. i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i))"#))] + #[ensures(|_| fstar!(r#"forall i. i < 16 ==> + v (Seq.index ${vec}_future.f_elements i) == + - (v (Seq.index ${vec}.f_elements i))"#))] + fn negate(vec: &mut Self) { + negate(vec) + } + #[requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == + #[ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${vec}_future.f_elements i) == v (Seq.index ${vec}.f_elements i) * v c)"#))] - fn multiply_by_constant(vec: Self, c: i16) -> Self { + fn multiply_by_constant(vec: &mut Self, c: i16) { multiply_by_constant(vec, c) } - #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"#))] - #[ensures(|out| fstar!(r#"impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (impl.f_repr $v)"#))] - fn cond_subtract_3329(v: Self) -> Self { - cond_subtract_3329(v) + #[ensures(|_| fstar!(r#"impl.f_repr ${vec}_future == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $vec)"#))] + fn bitwise_and_with_constant(vec: &mut Self, c: i16) { + bitwise_and_with_constant(vec, c) + } + + #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] + #[ensures(|_| fstar!(r#"(v_SHIFT_BY >=. (mk_i32 0) /\ v_SHIFT_BY <. (mk_i32 16)) ==> impl.f_repr ${vec}_future == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vec)"#))] + fn shift_right(vec: &mut Self) { + shift_right::<{ SHIFT_BY }>(vec) + } + + #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vec)"#))] + #[ensures(|_| fstar!(r#"impl.f_repr ${vec}_future == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (impl.f_repr $vec)"#))] + fn cond_subtract_3329(vec: &mut Self) { + cond_subtract_3329(vec) } - #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"#))] - #[ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${result}) /\ - (forall i. (v (Seq.index (impl.f_repr ${result}) i) % 3329) == - (v (Seq.index (impl.f_repr ${vector})i) % 3329))"#))] - fn barrett_reduce(vector: Self) -> Self { - barrett_reduce(vector) + #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vec})"#))] + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vec}_future) /\ + (forall i. (v (Seq.index (impl.f_repr ${vec}_future) i) % 3329) == + (v (Seq.index (impl.f_repr ${vec})i) % 3329))"#))] + + fn barrett_reduce(vec: &mut Self) { + barrett_reduce(vec) } - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $constant"#))] - #[ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${result}) /\ - (forall i. i < 16 ==> ((v (Seq.index (impl.f_repr ${result}) i) % 3329)== - (v (Seq.index (impl.f_repr ${vector}) i) * v ${constant} * 169) % 3329))"#))] - fn montgomery_multiply_by_constant(vector: Self, constant: i16) -> Self { - montgomery_multiply_by_constant(vector, constant.classify()) + #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 $r"#))] + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vec}_future) /\ + (forall i. i < 16 ==> ((v (Seq.index (impl.f_repr ${vec}_future) i) % 3329)== + (v (Seq.index (impl.f_repr $vec) i) * v $r * 169) % 3329))"#))] + fn montgomery_multiply_by_constant(vec: &mut Self, r: i16) { + montgomery_multiply_by_constant(vec, r.classify()) } #[requires(fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $a)"#))] @@ -203,8 +241,8 @@ impl Operations for PortableVector { #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\ v (Seq.index (impl.f_repr $a) i) < 3329"#))] - #[ensures(|out| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"#))] - fn compress_1(a: Self) -> Self { + #[ensures(|_| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr ${a}_future) i) 1"#))] + fn compress_1(a: &mut Self) { compress_1(a) } @@ -214,12 +252,12 @@ impl Operations for PortableVector { v $COEFFICIENT_BITS == 11) /\ (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\ v (Seq.index (impl.f_repr $a) i) < 3329)"#))] - #[ensures(|out| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ + #[ensures(|_| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ v $COEFFICIENT_BITS == 5 \/ v $COEFFICIENT_BITS == 10 \/ v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"#))] - fn compress(a: Self) -> Self { + (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr ${a}_future) i) (v $COEFFICIENT_BITS))"#))] + fn compress(a: &mut Self) { compress::(a) } @@ -236,51 +274,51 @@ impl Operations for PortableVector { v $COEFFICIENT_BITS == 11) /\ (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\ v (Seq.index (impl.f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"#))] - fn decompress_ciphertext_coefficient(a: Self) -> Self { + fn decompress_ciphertext_coefficient(a: &mut Self) { decompress_ciphertext_coefficient::(a) } #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"#))] - fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr ${a}_future)"#))] + fn ntt_layer_1_step(a: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) { ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"#))] - fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a}_future)"#))] + fn ntt_layer_2_step(a: &mut Self, zeta0: i16, zeta1: i16) { ntt_layer_2_step(a, zeta0, zeta1) } #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"#))] - fn ntt_layer_3_step(a: Self, zeta: i16) -> Self { + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a}_future)"#))] + fn ntt_layer_3_step(a: &mut Self, zeta: i16) { ntt_layer_3_step(a, zeta) } #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] - fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a}_future)"#))] + fn inv_ntt_layer_1_step(a: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) { inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] - fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a}_future)"#))] + fn inv_ntt_layer_2_step(a: &mut Self, zeta0: i16, zeta1: i16) { inv_ntt_layer_2_step(a, zeta0, zeta1) } #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] - fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self { + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a}_future)"#))] + fn inv_ntt_layer_3_step(a: &mut Self, zeta: i16) { inv_ntt_layer_3_step(a, zeta) } @@ -288,88 +326,103 @@ impl Operations for PortableVector { Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"#))] + #[ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 (impl.f_repr ${out}_future)"#))] fn ntt_multiply( lhs: &Self, rhs: &Self, + out: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, - ) -> Self { - ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3) + ) { + ntt_multiply(lhs, rhs, out, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"#))] - fn serialize_1(a: Self) -> [u8; 2] { - serialize_1(a) + #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) /\ Seq.length $out == 2"#))] + #[ensures(|_| fstar!(r#"Seq.length ${out}_future == 2 /\ + (Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 1 (impl.f_repr $a) ${out}_future) + "#))] + fn serialize_1(a: &Self, out: &mut [u8]) { + serialize_1(a, out) } #[requires(a.len() == 2)] - #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"#))] - fn deserialize_1(a: &[u8]) -> Self { - deserialize_1(a) + #[ensures(|_| fstar!(r#"Seq.length $a == 2 ==> + Spec.MLKEM.deserialize_post 1 $a (impl.f_repr ${out}_future)"#))] + fn deserialize_1(a: &[u8], out: &mut Self) { + deserialize_1(a, out) } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"#))] - fn serialize_4(a: Self) -> [u8; 8] { - serialize_4(a) + #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) /\ Seq.length $out == 8"#))] + #[ensures(|_| fstar!(r#"Seq.length ${out}_future == 8 /\ + (Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 4 (impl.f_repr $a) ${out}_future) + "#))] + fn serialize_4(a: &Self, out: &mut [u8]) { + serialize_4(a, out) } #[requires(a.len() == 8)] - #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"#))] - fn deserialize_4(a: &[u8]) -> Self { - deserialize_4(a) + #[ensures(|_| fstar!(r#"Seq.length $a == 8 ==> + Spec.MLKEM.deserialize_post 4 $a (impl.f_repr ${out}_future)"#))] + fn deserialize_4(a: &[u8], out: &mut Self) { + deserialize_4(a, out) } - fn serialize_5(a: Self) -> [u8; 10] { - serialize_5(a) + fn serialize_5(a: &Self, out: &mut [u8]) { + serialize_5(a, out) } #[requires(a.len() == 10)] - fn deserialize_5(a: &[u8]) -> Self { - deserialize_5(a) + fn deserialize_5(a: &[u8], out: &mut Self) { + deserialize_5(a, out) } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"#))] - fn serialize_10(a: Self) -> [u8; 20] { - serialize_10(a) + #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) /\ Seq.length $out == 20"#))] + #[ensures(|_| fstar!(r#"Seq.length ${out}_future == 20 /\ + (Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 10 (impl.f_repr $a) ${out}_future) + "#))] + fn serialize_10(a: &Self, out: &mut [u8]) { + serialize_10(a, out) } #[requires(a.len() == 20)] - #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"#))] - fn deserialize_10(a: &[u8]) -> Self { - deserialize_10(a) + #[ensures(|_| fstar!(r#"Seq.length $a == 20 ==> + Spec.MLKEM.deserialize_post 10 $a (impl.f_repr ${out}_future)"#))] + fn deserialize_10(a: &[u8], out: &mut Self) { + deserialize_10(a, out) } - fn serialize_11(a: Self) -> [u8; 22] { - serialize_11(a) + fn serialize_11(a: &Self, out: &mut [u8]) { + serialize_11(a, out) } #[requires(a.len() == 22)] - fn deserialize_11(a: &[u8]) -> Self { - deserialize_11(a) + fn deserialize_11(a: &[u8], out: &mut Self) { + deserialize_11(a, out) } - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"#))] - #[ensures(|out| fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"#))] - fn serialize_12(a: Self) -> [u8; 24] { - serialize_12(a) + #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) /\ Seq.length $out == 24"#))] + #[ensures(|_| fstar!(r#"Seq.length ${out}_future == 24 /\ + (Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> + Spec.MLKEM.serialize_post 12 (impl.f_repr $a) ${out}_future) + "#))] + fn serialize_12(a: &Self, out: &mut [u8]) { + serialize_12(a, out) } #[requires(a.len() == 24)] - #[ensures(|out| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"#))] - fn deserialize_12(a: &[u8]) -> Self { - deserialize_12(a) + #[ensures(|_| fstar!(r#"Seq.length $a == 24 ==> + Spec.MLKEM.deserialize_post 12 $a (impl.f_repr ${out}_future)"#))] + fn deserialize_12(a: &[u8], out: &mut Self) { + deserialize_12(a, out) } #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!(r#"Seq.length $out_future == Seq.length $out /\ v $result <= 16"#) - )] + #[ensures(|result| result <= 16 && future(out).len() == 16)] fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { rej_sample(a, out) } diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs index 9abef3cd2..cb326b802 100644 --- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs @@ -35,7 +35,7 @@ pub(crate) fn get_n_least_significant_bits(n: u8, value: U32) -> U32 { v res; (==) { } v (logand value (((mk_u32 1) < U32 { #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 150")] -#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${lhs}_future.f_elements i) == v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"#))] -pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { +pub(crate) fn add(lhs: &mut PortableVector, rhs: &PortableVector) { #[cfg(hax)] - let _lhs0 = lhs; - + let _lhs0 = (*lhs).clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( r#" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == + (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j) +! (Seq.index ${rhs}.f_elements j)) /\ (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))"# ) @@ -77,25 +76,22 @@ pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { "assert (forall i. v (Seq.index ${lhs}.f_elements i) == v (Seq.index ${_lhs0}.f_elements i) + v (Seq.index ${rhs}.f_elements i))" ); - - lhs } #[inline(always)] -#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${lhs}_future.f_elements i) == v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"#))] -pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { +pub(crate) fn sub(lhs: &mut PortableVector, rhs: &PortableVector) { #[cfg(hax)] - let _lhs0 = lhs; - + let _lhs0 = (*lhs).clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( r#" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == + (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j) -! (Seq.index ${rhs}.f_elements j)) /\ (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))"# ) @@ -108,25 +104,51 @@ pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { "assert (forall i. v (Seq.index ${lhs}.f_elements i) == v (Seq.index ${_lhs0}.f_elements i) - v (Seq.index ${rhs}.f_elements i))" ); - - lhs } #[inline(always)] #[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i))"#))] +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${vec}_future.f_elements i) == + - v (Seq.index ${vec}.f_elements i))"#))] +pub(crate) fn negate(vec: &mut PortableVector) { + #[cfg(hax)] + let _vec0 = (*vec).clone(); + + for i in 0..FIELD_ELEMENTS_IN_VECTOR { + hax_lib::loop_invariant!(|i: usize| { + fstar!( + r#" + (forall j. j < v i ==> v (Seq.index ${vec}.f_elements j) == + - v (Seq.index ${_vec0}.f_elements j)) /\ + (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == + (Seq.index ${_vec0}.f_elements j))"# + ) + }); + + vec.elements[i] = -vec.elements[i]; + } + hax_lib::fstar!( + "assert (forall i. v (Seq.index ${vec}.f_elements i) == + - v (Seq.index ${_vec0}.f_elements i))" + ); +} + +#[inline(always)] +#[hax_lib::requires(fstar!(r#"forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == +#[hax_lib::ensures(|_| fstar!(r#"forall i. i < 16 ==> + (v (Seq.index ${vec}_future.f_elements i) == v (Seq.index ${vec}.f_elements i) * v c)"#))] -pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { +pub(crate) fn multiply_by_constant(vec: &mut PortableVector, c: i16) { #[cfg(hax)] - let _vec0 = vec; - + let _vec0 = (*vec).clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( r#" - (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == + (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j) *! c) /\ (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))"# ) @@ -139,21 +161,18 @@ pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { "assert (forall i. v (Seq.index ${vec}.f_elements i) == v (Seq.index ${_vec0}.f_elements i) * v c)" ); - - vec } #[inline(always)] -#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"#))] -pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVector { +#[hax_lib::ensures(|_| fstar!(r#"${vec}_future.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"#))] +pub(crate) fn bitwise_and_with_constant(vec: &mut PortableVector, c: i16) { #[cfg(hax)] - let _vec0 = vec; - + let _vec0 = (*vec).clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( r#" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == + (forall j. j < v i ==> Seq.index ${vec}.f_elements j == (Seq.index ${_vec0}.f_elements j &. c)) /\ (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"# ) @@ -165,36 +184,31 @@ pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVec hax_lib::fstar!( r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)"# ); - - vec } #[inline(always)] #[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!(r#"(v_SHIFT_BY >=. (mk_i32 0) /\ v_SHIFT_BY <. (mk_i32 16)) ==> - ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"#))] -pub fn shift_right(mut vec: PortableVector) -> PortableVector { +#[hax_lib::ensures(|_| fstar!(r#"(v_SHIFT_BY >=. (mk_i32 0) /\ v_SHIFT_BY <. (mk_i32 16)) ==> + ${vec}_future.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"#))] +pub(crate) fn shift_right(vec: &mut PortableVector) { #[cfg(hax)] - let _vec0 = vec; - + let _vec0 = (*vec).clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( r#" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == + (forall j. j < v i ==> Seq.index ${vec}.f_elements j == (Seq.index ${_vec0}.f_elements j >>! ${SHIFT_BY})) /\ (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"# ) }); - vec.elements[i] = vec.elements[i] >> SHIFT_BY; + vec.elements[i] >>= SHIFT_BY; } hax_lib::fstar!( r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)"# ); - - vec } /// Note: This function is not secret independent @@ -202,17 +216,16 @@ pub fn shift_right(mut vec: PortableVector) -> PortableVect #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 300")] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == Spec.Utils.map_array +#[hax_lib::ensures(|_| fstar!(r#"${vec}_future.f_elements == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (${vec}.f_elements)"#))] -pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { +pub(crate) fn cond_subtract_3329(vec: &mut PortableVector) { #[cfg(hax)] - let _vec0 = vec; - + let _vec0 = vec.clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( r#" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == + (forall j. j < v i ==> Seq.index ${vec}.f_elements j == (let x = Seq.index ${_vec0}.f_elements j in if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x)) /\ (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)"# @@ -224,11 +237,9 @@ pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { } hax_lib::fstar!( - r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array + r#"Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) ${_vec0}.f_elements)"# ); - - vec } /// Signed Barrett Reduction @@ -274,9 +285,9 @@ pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement { (==) {Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329} (v value - (v quotient * 3329) % 3329) % 3329; (==) {Math.Lemmas.cancel_mul_mod (v quotient) 3329} - (v value - 0) % 3329; + (v value - 0) % 3329; (==) {} - (v value) % 3329; + (v value) % 3329; }" ); @@ -286,13 +297,12 @@ pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement { #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 150")] #[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 ${vec}.f_elements"#)))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\ - (forall i. (v (Seq.index ${result}.f_elements i) % 3329) == +#[cfg_attr(hax, hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${vec}_future.f_elements /\ + (forall i. (v (Seq.index ${vec}_future.f_elements i) % 3329) == (v (Seq.index ${vec}.f_elements i) % 3329))"#)))] -pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { +pub(crate) fn barrett_reduce(vec: &mut PortableVector) { #[cfg(hax)] - let _vec0 = vec; - + let _vec0 = vec.clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( @@ -315,7 +325,6 @@ pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))"# ); } - vec } /// Signed Montgomery Reduction @@ -368,7 +377,7 @@ pub(crate) fn montgomery_reduce_element(value: I32) -> MontgomeryFieldElement { "assert (v k_times_modulus < pow2 31); assert (v k_times_modulus / pow2 16 < pow2 15); assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert(v c == v k_times_modulus / pow2 16); + assert(v c == v k_times_modulus / pow2 16); assert(Spec.Utils.is_i16b 1665 c)" ); @@ -379,7 +388,7 @@ pub(crate) fn montgomery_reduce_element(value: I32) -> MontgomeryFieldElement { assert (v value / pow2 16 < pow2 15); assert (v value_high == (v value / pow2 16) @% pow2 16); Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); + assert (v value_high == (v value / pow2 16)); assert(Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); assert(Spec.Utils.is_i16b 3328 value_high)"# ); @@ -429,9 +438,9 @@ pub(crate) fn montgomery_reduce_element(value: I32) -> MontgomeryFieldElement { ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16)} ((v value - v k_times_modulus) * 169) % 3329; ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; + ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169)} - (v value * 169) % 3329; + (v value * 169) % 3329; }"# ); @@ -464,14 +473,14 @@ pub(crate) fn montgomery_multiply_fe_by_fer( #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 150")] #[cfg_attr(hax, hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 c"#)))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(r#" -Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\ -(forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) % 3329 == +#[cfg_attr(hax, hax_lib::ensures(|_| fstar!(r#" +Spec.Utils.is_i16b_array 3328 ${vec}_future.f_elements /\ +(forall i. i < 16 ==> + (v (Seq.index ${vec}_future.f_elements i) % 3329 == (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))"#)))] -pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: I16) -> PortableVector { - let _vec0 = vec; - +pub(crate) fn montgomery_multiply_by_constant(vec: &mut PortableVector, c: I16) { + #[cfg(hax)] + let _vec0 = (*vec).clone(); for i in 0..FIELD_ELEMENTS_IN_VECTOR { hax_lib::loop_invariant!(|i: usize| { fstar!( @@ -486,7 +495,6 @@ pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: I16) - vec.elements[i] = montgomery_multiply_fe_by_fer(vec.elements[i], c) } - vec } #[hax_lib::fstar::options("--z3rlimit 300")] @@ -496,8 +504,10 @@ pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: I16) - let y = Seq.index ${result}.f_elements i in (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))"#))] #[inline(always)] -pub(crate) fn to_unsigned_representative(a: PortableVector) -> PortableVector { - let t = shift_right::<15>(a); +pub(crate) fn to_unsigned_representative(mut a: PortableVector) -> PortableVector { + // XXX: Making the clone explicit, since we would like to drop `Vector: Copy` in the future. + let mut t = a.clone(); + shift_right::<15>(&mut t); hax_lib::fstar!( r#" @@ -507,15 +517,17 @@ pub(crate) fn to_unsigned_representative(a: PortableVector) -> PortableVector { "# ); - let fm = bitwise_and_with_constant(t, FIELD_MODULUS); + bitwise_and_with_constant(&mut t, FIELD_MODULUS); - hax_lib::fstar!( - r#" - assert (forall i. Seq.index ${fm}.f_elements i == (Seq.index ${t}.f_elements i &. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)); - assert (forall i. Seq.index ${a}.f_elements i >=. mk_i16 0 ==> Seq.index ${fm}.f_elements i == mk_i16 0); - assert (forall i. Seq.index ${a}.f_elements i <. mk_i16 0 ==> Seq.index ${fm}.f_elements i == mk_i16 3329) - "# - ); + // XXX: The temporary variable `fm` does not exist anymore. + // hax_lib::fstar!( + // r#" + // assert (forall i. Seq.index ${fm}.f_elements i == (Seq.index ${t}.f_elements i &. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)); + // assert (forall i. Seq.index ${a}.f_elements i >=. mk_i16 0 ==> Seq.index ${fm}.f_elements i == mk_i16 0); + // assert (forall i. Seq.index ${a}.f_elements i <. mk_i16 0 ==> Seq.index ${fm}.f_elements i == mk_i16 3329) + // "# + // ); - add(a, &fm) + add(&mut a, &t); + a } diff --git a/libcrux-ml-kem/src/vector/portable/compress.rs b/libcrux-ml-kem/src/vector/portable/compress.rs index c4be0130b..828e4ba8b 100644 --- a/libcrux-ml-kem/src/vector/portable/compress.rs +++ b/libcrux-ml-kem/src/vector/portable/compress.rs @@ -117,7 +117,7 @@ pub(crate) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: U16) -> // This has to be constant time due to: // https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ let mut compressed = (fe.as_u64()) << coefficient_bits; - compressed += 1664 as u64; + compressed += 1664; compressed *= 10_321_340; compressed >>= 35; @@ -142,10 +142,10 @@ let compress_message_coefficient_range_helper (fe: u16) : Lemma #[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 200")] #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\ v (Seq.index ${a}.f_elements i) < 3329"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> - v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\ - v (${result}.f_elements.[ sz i ] <: i16) < 2"#))] -pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector { +#[hax_lib::ensures(|_| fstar!(r#"forall (i:nat). i < 16 ==> + v (${a}_future.f_elements.[ sz i ] <: i16) >= 0 /\ + v (${a}_future.f_elements.[ sz i ] <: i16) < 2"#))] +pub(crate) fn compress_1(a: &mut PortableVector) { hax_lib::fstar!( "assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. (cast ($FIELD_MODULUS) <: u16))" @@ -177,8 +177,6 @@ pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector { r#"assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\ v (${a}.f_elements.[ sz i ] <: i16) < 2)"# ); - - a } #[inline(always)] @@ -187,13 +185,13 @@ pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector { v $COEFFICIENT_BITS == 5 \/ v $COEFFICIENT_BITS == 10 \/ v $COEFFICIENT_BITS == 11) /\ - (forall (i:nat). i < 16 ==> - (v (Seq.index ${a}.f_elements i) >= 0 /\ - v (Seq.index ${a}.f_elements i) < 3329))"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> - (v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\ - v (${result}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS)))"#))] -pub(crate) fn compress(mut a: PortableVector) -> PortableVector { + (forall (i:nat). i < 16 ==> + v (Seq.index ${a}.f_elements i) >= 0 /\ + v (Seq.index ${a}.f_elements i) < 3329)"#))] +#[hax_lib::ensures(|_| fstar!(r#"forall (i:nat). i < 16 ==> + v (${a}_future.f_elements.[ sz i ] <: i16) >= 0 /\ + v (${a}_future.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"#))] +pub(crate) fn compress(a: &mut PortableVector) { hax_lib::fstar!( "assert (v (cast ($COEFFICIENT_BITS) <: u8) == v $COEFFICIENT_BITS); assert (v (cast ($COEFFICIENT_BITS) <: u32) == v $COEFFICIENT_BITS); @@ -229,8 +227,6 @@ pub(crate) fn compress(mut a: PortableVector) -> Po (v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\ v (${a}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS)))"# ); - - a } #[hax_lib::fstar::options("--z3rlimit 200 --split_queries always")] @@ -240,10 +236,7 @@ pub(crate) fn compress(mut a: PortableVector) -> Po (let res_i = v (Seq.index ${result}.f_elements i) in res_i == 0 \/ res_i == 1665)"#))] #[inline(always)] -pub(crate) fn decompress_1(a: PortableVector) -> PortableVector { - let z = zero(); - - hax_lib::fstar!("assert(forall i. Seq.index ${z}.f_elements i == mk_i16 0)"); +pub(crate) fn decompress_1(mut a: PortableVector) -> PortableVector { hax_lib::fstar!( r#"assert(forall i. let x = Seq.index ${a}.f_elements i in ((0 - v x) == 0 \/ (0 - v x) == -1))"# @@ -254,21 +247,21 @@ pub(crate) fn decompress_1(a: PortableVector) -> PortableVector { (0 - v (Seq.index ${a}.f_elements i)))"# ); - let s = sub(z, &a); + negate(&mut a); hax_lib::fstar!( - r#"assert(forall i. Seq.index ${s}.f_elements i == mk_i16 0 \/ - Seq.index ${s}.f_elements i == mk_i16 (-1))"# + r#"assert(forall i. Seq.index ${a}.f_elements i == mk_i16 0 \/ + Seq.index ${a}.f_elements i == mk_i16 (-1))"# ); - let res = bitwise_and_with_constant(s, 1665); + bitwise_and_with_constant(&mut a, 1665); hax_lib::fstar!( - r#"assert(forall i. Seq.index ${res}.f_elements i == mk_i16 0 \/ - Seq.index ${res}.f_elements i == mk_i16 1665)"# + r#"assert(forall i. Seq.index ${a}.f_elements i == mk_i16 0 \/ + Seq.index ${a}.f_elements i == mk_i16 1665)"# ); - res + a } #[inline(always)] @@ -279,12 +272,12 @@ pub(crate) fn decompress_1(a: PortableVector) -> PortableVector { v $COEFFICIENT_BITS == 11) /\ (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\ v (Seq.index ${a}.f_elements i) < pow2 (v $COEFFICIENT_BITS))"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> - (let res_i = v (Seq.index ${result}.f_elements i) in +#[hax_lib::ensures(|_| fstar!(r#"forall (i:nat). i < 16 ==> + (let res_i = v (Seq.index ${a}_future.f_elements i) in res_i >= 0 /\ res_i < v $FIELD_MODULUS)"#))] pub(crate) fn decompress_ciphertext_coefficient( - mut a: PortableVector, -) -> PortableVector { + a: &mut PortableVector, +) { hax_lib::fstar!( "assert_norm (pow2 1 == 2); assert_norm (pow2 4 == 16); @@ -331,7 +324,7 @@ pub(crate) fn decompress_ciphertext_coefficient( v $decompressed / pow2 (v $COEFFICIENT_BITS + 1))" ); - decompressed = decompressed >> (COEFFICIENT_BITS + 1); + decompressed >>= COEFFICIENT_BITS + 1; hax_lib::fstar!( "assert (v $decompressed < v $FIELD_MODULUS); @@ -340,6 +333,4 @@ pub(crate) fn decompress_ciphertext_coefficient( a.elements[i] = decompressed.as_i16(); } - - a } diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs index 43765462b..dd535d0f1 100644 --- a/libcrux-ml-kem/src/vector/portable/ntt.rs +++ b/libcrux-ml-kem/src/vector/portable/ntt.rs @@ -9,7 +9,7 @@ use libcrux_secrets::*; Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\ Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\ Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"#))] -#[hax_lib::ensures(|result| fstar!(r#"(forall k. (k <> v i /\ k <> v j) ==> +#[hax_lib::ensures(|_| fstar!(r#"(forall k. (k <> v i /\ k <> v j) ==> Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\ (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\ Spec.Utils.is_i16b b ${vec}.f_elements.[j]) ==> @@ -64,57 +64,54 @@ pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"#))] +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) ${vec}_future.f_elements"#))] pub(crate) fn ntt_layer_1_step( - mut vec: PortableVector, + vec: &mut PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 2); - ntt_step(&mut vec, zeta0, 1, 3); - ntt_step(&mut vec, zeta1, 4, 6); - ntt_step(&mut vec, zeta1, 5, 7); - ntt_step(&mut vec, zeta2, 8, 10); - ntt_step(&mut vec, zeta2, 9, 11); - ntt_step(&mut vec, zeta3, 12, 14); - ntt_step(&mut vec, zeta3, 13, 15); - vec +) { + ntt_step(vec, zeta0, 0, 2); + ntt_step(vec, zeta0, 1, 3); + ntt_step(vec, zeta1, 4, 6); + ntt_step(vec, zeta1, 5, 7); + ntt_step(vec, zeta2, 8, 10); + ntt_step(vec, zeta2, 9, 11); + ntt_step(vec, zeta3, 12, 14); + ntt_step(vec, zeta3, 13, 15); } #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 100")] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"#))] -pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 4); - ntt_step(&mut vec, zeta0, 1, 5); - ntt_step(&mut vec, zeta0, 2, 6); - ntt_step(&mut vec, zeta0, 3, 7); - ntt_step(&mut vec, zeta1, 8, 12); - ntt_step(&mut vec, zeta1, 9, 13); - ntt_step(&mut vec, zeta1, 10, 14); - ntt_step(&mut vec, zeta1, 11, 15); - vec +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) ${vec}_future.f_elements"#))] +pub(crate) fn ntt_layer_2_step(vec: &mut PortableVector, zeta0: i16, zeta1: i16) { + ntt_step(vec, zeta0, 0, 4); + ntt_step(vec, zeta0, 1, 5); + ntt_step(vec, zeta0, 2, 6); + ntt_step(vec, zeta0, 3, 7); + ntt_step(vec, zeta1, 8, 12); + ntt_step(vec, zeta1, 9, 13); + ntt_step(vec, zeta1, 10, 14); + ntt_step(vec, zeta1, 11, 15); } #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 100")] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"#))] -pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - ntt_step(&mut vec, zeta, 0, 8); - ntt_step(&mut vec, zeta, 1, 9); - ntt_step(&mut vec, zeta, 2, 10); - ntt_step(&mut vec, zeta, 3, 11); - ntt_step(&mut vec, zeta, 4, 12); - ntt_step(&mut vec, zeta, 5, 13); - ntt_step(&mut vec, zeta, 6, 14); - ntt_step(&mut vec, zeta, 7, 15); - vec +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) ${vec}_future.f_elements"#))] +pub(crate) fn ntt_layer_3_step(vec: &mut PortableVector, zeta: i16) { + ntt_step(vec, zeta, 0, 8); + ntt_step(vec, zeta, 1, 9); + ntt_step(vec, zeta, 2, 10); + ntt_step(vec, zeta, 3, 11); + ntt_step(vec, zeta, 4, 12); + ntt_step(vec, zeta, 5, 13); + ntt_step(vec, zeta, 6, 14); + ntt_step(vec, zeta, 7, 15); } #[inline(always)] @@ -122,7 +119,7 @@ pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVe #[hax_lib::requires(fstar!(r#"v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 $zeta /\ Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\ +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\ (forall k. (k <> v i /\ k <> v j) ==> Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\ Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\ @@ -167,22 +164,22 @@ pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usi #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))] +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${vec}_future.f_elements"#))] pub(crate) fn inv_ntt_layer_1_step( - mut vec: PortableVector, + vec: &mut PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 2); - inv_ntt_step(&mut vec, zeta0, 1, 3); - inv_ntt_step(&mut vec, zeta1, 4, 6); - inv_ntt_step(&mut vec, zeta1, 5, 7); - inv_ntt_step(&mut vec, zeta2, 8, 10); - inv_ntt_step(&mut vec, zeta2, 9, 11); - inv_ntt_step(&mut vec, zeta3, 12, 14); - inv_ntt_step(&mut vec, zeta3, 13, 15); +) { + inv_ntt_step(vec, zeta0, 0, 2); + inv_ntt_step(vec, zeta0, 1, 3); + inv_ntt_step(vec, zeta1, 4, 6); + inv_ntt_step(vec, zeta1, 5, 7); + inv_ntt_step(vec, zeta2, 8, 10); + inv_ntt_step(vec, zeta2, 9, 11); + inv_ntt_step(vec, zeta3, 12, 14); + inv_ntt_step(vec, zeta3, 13, 15); hax_lib::fstar!( r#"assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 13)); assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 15)); @@ -202,45 +199,38 @@ pub(crate) fn inv_ntt_layer_1_step( assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 2)); assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))"# ); - vec } #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 100")] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))] -pub(crate) fn inv_ntt_layer_2_step( - mut vec: PortableVector, - zeta0: i16, - zeta1: i16, -) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 4); - inv_ntt_step(&mut vec, zeta0, 1, 5); - inv_ntt_step(&mut vec, zeta0, 2, 6); - inv_ntt_step(&mut vec, zeta0, 3, 7); - inv_ntt_step(&mut vec, zeta1, 8, 12); - inv_ntt_step(&mut vec, zeta1, 9, 13); - inv_ntt_step(&mut vec, zeta1, 10, 14); - inv_ntt_step(&mut vec, zeta1, 11, 15); - vec +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${vec}_future.f_elements"#))] +pub(crate) fn inv_ntt_layer_2_step(vec: &mut PortableVector, zeta0: i16, zeta1: i16) { + inv_ntt_step(vec, zeta0, 0, 4); + inv_ntt_step(vec, zeta0, 1, 5); + inv_ntt_step(vec, zeta0, 2, 6); + inv_ntt_step(vec, zeta0, 3, 7); + inv_ntt_step(vec, zeta1, 8, 12); + inv_ntt_step(vec, zeta1, 9, 13); + inv_ntt_step(vec, zeta1, 10, 14); + inv_ntt_step(vec, zeta1, 11, 15); } #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 100")] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"#))] -#[hax_lib::ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${result}.f_elements"#))] -pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - inv_ntt_step(&mut vec, zeta, 0, 8); - inv_ntt_step(&mut vec, zeta, 1, 9); - inv_ntt_step(&mut vec, zeta, 2, 10); - inv_ntt_step(&mut vec, zeta, 3, 11); - inv_ntt_step(&mut vec, zeta, 4, 12); - inv_ntt_step(&mut vec, zeta, 5, 13); - inv_ntt_step(&mut vec, zeta, 6, 14); - inv_ntt_step(&mut vec, zeta, 7, 15); - vec +#[hax_lib::ensures(|_| fstar!(r#"Spec.Utils.is_i16b_array 3328 ${vec}_future.f_elements"#))] +pub(crate) fn inv_ntt_layer_3_step(vec: &mut PortableVector, zeta: i16) { + inv_ntt_step(vec, zeta, 0, 8); + inv_ntt_step(vec, zeta, 1, 9); + inv_ntt_step(vec, zeta, 2, 10); + inv_ntt_step(vec, zeta, 3, 11); + inv_ntt_step(vec, zeta, 4, 12); + inv_ntt_step(vec, zeta, 5, 13); + inv_ntt_step(vec, zeta, 6, 14); + inv_ntt_step(vec, zeta, 7, 15); } /// Compute the product of two Kyber binomials with respect to the @@ -281,6 +271,8 @@ pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> Portab let bj = Seq.index b.f_elements (2 * v i + 1) in let oi = Seq.index out_future.f_elements (2 * v i) in let oj = Seq.index out_future.f_elements (2 * v i + 1) in + Spec.Utils.is_i16b 3328 oi /\ + Spec.Utils.is_i16b 3328 oj /\ ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\ ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)) "# @@ -288,10 +280,8 @@ pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> Portab #[hax_lib::fstar::before("[@@ \"opaque_to_smt\"]")] #[hax_lib::requires(fstar!(r#"v i < 8 /\ Spec.Utils.is_i16b 1664 $zeta /\ Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\ - Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\ - Spec.Utils.is_i16b_array 3328 ${out}.f_elements "#))] -#[hax_lib::ensures(|()| fstar!(r#" - Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\ + Spec.Utils.is_i16b_array 3328 ${b}.f_elements"#))] +#[hax_lib::ensures(|_| fstar!(r#" Spec.Utils.modifies2_16 ${out}.f_elements ${out}_future.f_elements (sz 2 *! $i) ((sz 2 *! $i) +! sz 1) /\ ntt_multiply_binomials_post ${a} ${b} ${zeta} ${i} ${out}_future"#))] pub(crate) fn ntt_multiply_binomials( @@ -402,7 +392,8 @@ pub(crate) fn ntt_multiply_binomials( hax_lib::fstar!( r#"assert (Seq.index out.f_elements (2 * v i) == o0); assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); + assert (Spec.Utils.is_i16b 3328 o0); + assert (Spec.Utils.is_i16b 3328 o1); assert (forall k. (k <> 2 * v i /\ k <> 2 * v i + 1) ==> Seq.index out.f_elements k == Seq.index ${_out0} k)"# @@ -410,41 +401,31 @@ pub(crate) fn ntt_multiply_binomials( } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800 --split_queries always")] +#[hax_lib::fstar::options("--z3rlimit 400 --split_queries always")] #[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $zeta0 /\ Spec.Utils.is_i16b 1664 $zeta1 /\ Spec.Utils.is_i16b 1664 $zeta2 /\ Spec.Utils.is_i16b 1664 $zeta3 /\ Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\ Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "#))] -#[hax_lib::ensures(|result| fstar!(r#" - Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\ - (let nzeta0:i16 = Core.Ops.Arith.f_neg zeta0 in - let nzeta1:i16 = Core.Ops.Arith.f_neg zeta1 in - let nzeta2:i16 = Core.Ops.Arith.f_neg zeta2 in - let nzeta3:i16 = Core.Ops.Arith.f_neg zeta3 in - let zetas = - Seq.seq_of_list [ - zeta0; - nzeta0; - zeta1; - nzeta1; - zeta2; - nzeta2; - zeta3; - nzeta3 - ] - in - Spec.Utils.forall8 (fun i -> ntt_multiply_binomials_post ${lhs} ${rhs} (Seq.index zetas i) (sz i) $result)) -"#))] +#[hax_lib::ensures(|_| fstar!(r#" + Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\ + (let zetas = Seq.seq_of_list + [$zeta0; neg $zeta0; + $zeta1; neg $zeta1; + $zeta2; neg $zeta2; + $zeta3; neg zeta3] in + (forall (i:nat). i < 8 ==> + ntt_multiply_binomials_post ${lhs} ${rhs} (Seq.index zetas i) (sz i) ${out}_future))"#))] pub(crate) fn ntt_multiply( lhs: &PortableVector, rhs: &PortableVector, + out: &mut PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> PortableVector { +) { let nzeta0 = -zeta0; let nzeta1 = -zeta1; let nzeta2 = -zeta2; @@ -453,23 +434,32 @@ pub(crate) fn ntt_multiply( hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta1)"#); hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta2)"#); hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b 1664 nzeta3)"#); - let mut out = zero(); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, zeta0.classify(), 0, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, nzeta0.classify(), 1, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, zeta1.classify(), 2, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, nzeta1.classify(), 3, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, zeta2.classify(), 4, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, nzeta2.classify(), 5, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, zeta3.classify(), 6, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - ntt_multiply_binomials(lhs, rhs, nzeta3.classify(), 7, &mut out); - hax_lib::fstar!(r#"assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"#); - out + ntt_multiply_binomials(lhs, rhs, zeta0.classify(), 0, out); + ntt_multiply_binomials(lhs, rhs, nzeta0.classify(), 1, out); + ntt_multiply_binomials(lhs, rhs, zeta1.classify(), 2, out); + ntt_multiply_binomials(lhs, rhs, nzeta1.classify(), 3, out); + ntt_multiply_binomials(lhs, rhs, zeta2.classify(), 4, out); + ntt_multiply_binomials(lhs, rhs, nzeta2.classify(), 5, out); + ntt_multiply_binomials(lhs, rhs, zeta3.classify(), 6, out); + ntt_multiply_binomials(lhs, rhs, nzeta3.classify(), 7, out); + hax_lib::fstar!( + r#" + assert (let zetas = + Seq.seq_of_list [ + $zeta0; + $nzeta0; + $zeta1; + $nzeta1; + $zeta2; + $nzeta2; + $zeta3; + $nzeta3 + ] in + Spec.Utils.forall8 (fun i -> + ntt_multiply_binomials_post $lhs $rhs (Seq.index zetas i) (sz i) $out)); + assert (Spec.Utils.forall16 (fun i -> + Spec.Utils.is_i16b 3328 (Seq.index ${out}.f_elements i))) + + "# + ) } diff --git a/libcrux-ml-kem/src/vector/portable/sampling.rs b/libcrux-ml-kem/src/vector/portable/sampling.rs index 8ca4b6885..6bc76caef 100644 --- a/libcrux-ml-kem/src/vector/portable/sampling.rs +++ b/libcrux-ml-kem/src/vector/portable/sampling.rs @@ -12,7 +12,7 @@ pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize { fstar!(r#"Seq.length result == 16 /\ v $sampled <= v $i * 2"#) }); - let b1 = a[i * 3 + 0] as i16; + let b1 = a[i * 3] as i16; let b2 = a[i * 3 + 1] as i16; let b3 = a[i * 3 + 2] as i16; diff --git a/libcrux-ml-kem/src/vector/portable/serialize.rs b/libcrux-ml-kem/src/vector/portable/serialize.rs index 49915349f..8f597a502 100644 --- a/libcrux-ml-kem/src/vector/portable/serialize.rs +++ b/libcrux-ml-kem/src/vector/portable/serialize.rs @@ -39,11 +39,11 @@ let lemma_get_bit_bounded' #t (x:int_t t) (d:num_bits t): " #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" -let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16)) +let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16)) (out: t_Array u8 (sz 2)) (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1)) : squash ( let inputs = bit_vec_of_int_t_array v 1 in - let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in + let outputs = bit_vec_of_int_t_array (serialize_1_ ({ f_elements = v }) out <: t_Array _ (sz 24)) 8 in (forall (i: nat {i < 16}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -58,9 +58,9 @@ let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16)) " #push-options \"--z3rlimit 300\" -let serialize_1_lemma inputs = - serialize_1_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8) +let serialize_1_lemma inputs (out: t_Array u8 (sz 2)) = + serialize_1_bit_vec_lemma inputs.f_elements out (); + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_1_ inputs out <: t_Array u8 (sz 2)) 8) (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1)) #pop-options @@ -68,29 +68,34 @@ let serialize_1_lemma inputs = ) )] #[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma +val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 2)): Lemma (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) + (ensures (bit_vec_of_int_t_array (serialize_1_ inputs out <: t_Array u8 (sz 2)) 8 == bit_vec_of_int_t_array inputs.f_elements 1)) "))] +#[hax_lib::requires(out.len() == 2)] +#[hax_lib::ensures(|_| future(out).len() == 2)] #[inline(always)] -pub(crate) fn serialize_1(v: PortableVector) -> [U8; 2] { - let result0 = (v.elements[0].as_u8()) +pub(crate) fn serialize_1(v: &PortableVector, out: &mut [u8]) { + debug_assert!(out.len() == 2); + + out[0] = ((v.elements[0].as_u8()) | ((v.elements[1].as_u8()) << 1) | ((v.elements[2].as_u8()) << 2) | ((v.elements[3].as_u8()) << 3) | ((v.elements[4].as_u8()) << 4) | ((v.elements[5].as_u8()) << 5) | ((v.elements[6].as_u8()) << 6) - | ((v.elements[7].as_u8()) << 7); - let result1 = (v.elements[8].as_u8()) + | ((v.elements[7].as_u8()) << 7)) + .declassify(); + out[1] = ((v.elements[8].as_u8()) | ((v.elements[9].as_u8()) << 1) | ((v.elements[10].as_u8()) << 2) | ((v.elements[11].as_u8()) << 3) | ((v.elements[12].as_u8()) << 4) | ((v.elements[13].as_u8()) << 5) | ((v.elements[14].as_u8()) << 6) - | ((v.elements[15].as_u8()) << 7); - [result0, result1] + | ((v.elements[15].as_u8()) << 7)) + .declassify(); } //deserialize_1_bit_vec_lemma @@ -100,10 +105,10 @@ pub(crate) fn serialize_1(v: PortableVector) -> [U8; 2] { r#" #push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" -let deserialize_1_bit_vec_lemma (inp: t_Array u8 (sz 2)) +let deserialize_1_bit_vec_lemma (inp: t_Array u8 (sz 2)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( let inputs = bit_vec_of_int_t_array inp 8 in - let out_arr = (deserialize_1_ inp).f_elements in + let out_arr = (deserialize_1_ inp out).f_elements in let outputs = bit_vec_of_int_t_array out_arr 1 in (forall (i: nat {i < 16}). inputs i == outputs i /\ Rust_primitives.bounded (Seq.index out_arr i) 1) ) = @@ -119,8 +124,9 @@ let deserialize_1_bit_vec_lemma (inp: t_Array u8 (sz 2)) hax_lib::fstar::after( interface, r#" -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures (let result = ${deserialize_1} inputs in +val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Lemma + (ensures (let result = deserialize_1_ inputs out in bit_vec_of_int_t_array result.f_elements 1 == bit_vec_of_int_t_array inputs 8 /\ (forall i. Rust_primitives.bounded (Seq.index result.f_elements i) 1))) "# @@ -132,9 +138,9 @@ val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma " #push-options \"--z3rlimit 300\" -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1) +let deserialize_1_lemma inputs out = + deserialize_1_bit_vec_lemma inputs out; + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs out).f_elements 1) (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) #pop-options @@ -145,41 +151,40 @@ let deserialize_1_lemma inputs = ${v.len() == 2} "#))] #[inline(always)] -pub(crate) fn deserialize_1(v: &[U8]) -> PortableVector { - let result0 = (v[0] & 0x1).as_i16(); - let result1 = ((v[0] >> 1) & 0x1).as_i16(); - let result2 = ((v[0] >> 2) & 0x1).as_i16(); - let result3 = ((v[0] >> 3) & 0x1).as_i16(); - let result4 = ((v[0] >> 4) & 0x1).as_i16(); - let result5 = ((v[0] >> 5) & 0x1).as_i16(); - let result6 = ((v[0] >> 6) & 0x1).as_i16(); - let result7 = ((v[0] >> 7) & 0x1).as_i16(); - let result8 = (v[1] & 0x1).as_i16(); - let result9 = ((v[1] >> 1) & 0x1).as_i16(); - let result10 = ((v[1] >> 2) & 0x1).as_i16(); - let result11 = ((v[1] >> 3) & 0x1).as_i16(); - let result12 = ((v[1] >> 4) & 0x1).as_i16(); - let result13 = ((v[1] >> 5) & 0x1).as_i16(); - let result14 = ((v[1] >> 6) & 0x1).as_i16(); - let result15 = ((v[1] >> 7) & 0x1).as_i16(); - PortableVector { - elements: [ - result0, result1, result2, result3, result4, result5, result6, result7, result8, - result9, result10, result11, result12, result13, result14, result15, - ], - } +pub(crate) fn deserialize_1(v: &[U8], out: &mut PortableVector) { + out.elements[0] = (v[0] & 0x1).as_i16(); + out.elements[1] = ((v[0] >> 1) & 0x1).as_i16(); + out.elements[2] = ((v[0] >> 2) & 0x1).as_i16(); + out.elements[3] = ((v[0] >> 3) & 0x1).as_i16(); + out.elements[4] = ((v[0] >> 4) & 0x1).as_i16(); + out.elements[5] = ((v[0] >> 5) & 0x1).as_i16(); + out.elements[6] = ((v[0] >> 6) & 0x1).as_i16(); + out.elements[7] = ((v[0] >> 7) & 0x1).as_i16(); + out.elements[8] = (v[1] & 0x1).as_i16(); + out.elements[9] = ((v[1] >> 1) & 0x1).as_i16(); + out.elements[10] = ((v[1] >> 2) & 0x1).as_i16(); + out.elements[11] = ((v[1] >> 3) & 0x1).as_i16(); + out.elements[12] = ((v[1] >> 4) & 0x1).as_i16(); + out.elements[13] = ((v[1] >> 5) & 0x1).as_i16(); + out.elements[14] = ((v[1] >> 6) & 0x1).as_i16(); + out.elements[15] = ((v[1] >> 7) & 0x1).as_i16(); } #[inline(always)] #[hax_lib::requires(fstar!(r#" ${v.len() == 8} "#))] -pub(crate) fn serialize_4_int(v: &[I16]) -> (U8, U8, U8, U8) { +pub(crate) fn serialize_4_int(v: &[I16]) -> (u8, u8, u8, u8) { let result0 = ((v[1].as_u8()) << 4) | (v[0].as_u8()); let result1 = ((v[3].as_u8()) << 4) | (v[2].as_u8()); let result2 = ((v[5].as_u8()) << 4) | (v[4].as_u8()); let result3 = ((v[7].as_u8()) << 4) | (v[6].as_u8()); - (result0, result1, result2, result3) + ( + result0.declassify(), + result1.declassify(), + result2.declassify(), + result3.declassify(), + ) } #[cfg_attr( @@ -188,11 +193,11 @@ pub(crate) fn serialize_4_int(v: &[I16]) -> (U8, U8, U8, U8) { " #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" -let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) +let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) (out: t_Array u8 (sz 8)) (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4)) : squash ( let inputs = bit_vec_of_int_t_array v 4 in - let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in + let outputs = bit_vec_of_int_t_array (serialize_4_ ({ f_elements = v }) out <: t_Array u8 (sz 8)) 8 in (forall (i: nat {i < 64}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -207,9 +212,9 @@ let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) " #push-options \"--z3rlimit 300\" -let serialize_4_lemma inputs = - serialize_4_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8) +let serialize_4_lemma inputs out = + serialize_4_bit_vec_lemma inputs.f_elements out (); + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_4_ inputs out <: t_Array u8 (sz 8)) 8) (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4)) #pop-options @@ -217,24 +222,17 @@ let serialize_4_lemma inputs = ) )] #[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma +val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 8)): Lemma (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) + (ensures bit_vec_of_int_t_array (serialize_4_ inputs out <: t_Array u8 (sz 8)) 8 == bit_vec_of_int_t_array inputs.f_elements 4) "))] +#[hax_lib::requires(out.len() == 8)] +#[hax_lib::ensures(|_| future(out).len() == 8)] #[inline(always)] -pub(crate) fn serialize_4(v: PortableVector) -> [U8; 8] { - let result0_3 = serialize_4_int(&v.elements[0..8]); - let result4_7 = serialize_4_int(&v.elements[8..16]); - [ - result0_3.0, - result0_3.1, - result0_3.2, - result0_3.3, - result4_7.0, - result4_7.1, - result4_7.2, - result4_7.3, - ] +pub(crate) fn serialize_4(v: &PortableVector, out: &mut [u8]) { + debug_assert!(out.len() == 8); + (out[0], out[1], out[2], out[3]) = serialize_4_int(&v.elements[0..8]); + (out[4], out[5], out[6], out[7]) = serialize_4_int(&v.elements[8..16]); } #[inline(always)] @@ -260,17 +258,17 @@ pub(crate) fn deserialize_4_int(bytes: &[U8]) -> (I16, I16, I16, I16, I16, I16, " #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) +let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in + let outputs = bit_vec_of_int_t_array (deserialize_4_ v out).f_elements 4 in (forall (i: nat {i < 64}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) -let deserialize_4_bit_vec_lemma_bounded (v: t_Array u8 (sz 8)) +let deserialize_4_bit_vec_lemma_bounded (v: t_Array u8 (sz 8)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( - let result = ${deserialize_4} v in + let result = deserialize_4_ v out in (forall (i: nat {i < 16}). Rust_primitives.bounded (Seq.index result.f_elements i) 4) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -285,8 +283,9 @@ let deserialize_4_bit_vec_lemma_bounded (v: t_Array u8 (sz 8)) hax_lib::fstar::after( interface, r#" -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures (let result = ${deserialize_4} inputs in +val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Lemma + (ensures (let result = deserialize_4_ inputs out in bit_vec_of_int_t_array result.f_elements 4 == bit_vec_of_int_t_array inputs 8 /\ (forall i. Rust_primitives.bounded (Seq.index result.f_elements i) 4))) "# @@ -298,10 +297,10 @@ val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma " #push-options \"--z3rlimit 300\" -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - deserialize_4_bit_vec_lemma_bounded inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4) +let deserialize_4_lemma inputs out = + deserialize_4_bit_vec_lemma inputs out; + deserialize_4_bit_vec_lemma_bounded inputs out; + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_4_ inputs out).f_elements 4) (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) #pop-options @@ -312,37 +311,53 @@ let deserialize_4_lemma inputs = ${bytes.len() == 8} "#))] #[inline(always)] -pub(crate) fn deserialize_4(bytes: &[U8]) -> PortableVector { - let v0_7 = deserialize_4_int(&bytes[0..4]); - let v8_15 = deserialize_4_int(&bytes[4..8]); - PortableVector { - elements: [ - v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1, - v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7, - ], - } +pub(crate) fn deserialize_4(bytes: &[U8], out: &mut PortableVector) { + ( + out.elements[0], + out.elements[1], + out.elements[2], + out.elements[3], + out.elements[4], + out.elements[5], + out.elements[6], + out.elements[7], + ) = deserialize_4_int(&bytes[0..4]); + ( + out.elements[8], + out.elements[9], + out.elements[10], + out.elements[11], + out.elements[12], + out.elements[13], + out.elements[14], + out.elements[15], + ) = deserialize_4_int(&bytes[4..8]); } #[inline(always)] #[hax_lib::requires(fstar!(r#" ${v.len() == 8} "#))] -pub(crate) fn serialize_5_int(v: &[I16]) -> (U8, U8, U8, U8, U8) { +pub(crate) fn serialize_5_int(v: &[I16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] | v[1] << 5).as_u8(); let r1 = (v[1] >> 3 | v[2] << 2 | v[3] << 7).as_u8(); let r2 = (v[3] >> 1 | v[4] << 4).as_u8(); let r3 = (v[4] >> 4 | v[5] << 1 | v[6] << 6).as_u8(); let r4 = (v[6] >> 2 | v[7] << 3).as_u8(); - (r0, r1, r2, r3, r4) + ( + r0.declassify(), + r1.declassify(), + r2.declassify(), + r3.declassify(), + r4.declassify(), + ) } #[inline(always)] -pub(crate) fn serialize_5(v: PortableVector) -> [U8; 10] { - let r0_4 = serialize_5_int(&v.elements[0..8]); - let r5_9 = serialize_5_int(&v.elements[8..16]); - [ - r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, - ] +pub(crate) fn serialize_5(v: &PortableVector, out: &mut [u8]) { + debug_assert!(out.len() == 10); + (out[0], out[1], out[2], out[3], out[4]) = serialize_5_int(&v.elements[0..8]); + (out[5], out[6], out[7], out[8], out[9]) = serialize_5_int(&v.elements[8..16]); } #[inline(always)] @@ -365,28 +380,46 @@ pub(crate) fn deserialize_5_int(bytes: &[U8]) -> (I16, I16, I16, I16, I16, I16, ${bytes.len() == 10} "#))] #[inline(always)] -pub(crate) fn deserialize_5(bytes: &[U8]) -> PortableVector { - let v0_7 = deserialize_5_int(&bytes[0..5]); - let v8_15 = deserialize_5_int(&bytes[5..10]); - PortableVector { - elements: [ - v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1, - v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7, - ], - } +pub(crate) fn deserialize_5(bytes: &[U8], out: &mut PortableVector) { + ( + out.elements[0], + out.elements[1], + out.elements[2], + out.elements[3], + out.elements[4], + out.elements[5], + out.elements[6], + out.elements[7], + ) = deserialize_5_int(&bytes[0..5]); + ( + out.elements[8], + out.elements[9], + out.elements[10], + out.elements[11], + out.elements[12], + out.elements[13], + out.elements[14], + out.elements[15], + ) = deserialize_5_int(&bytes[5..10]); } #[inline(always)] #[hax_lib::requires(fstar!(r#" ${v.len() == 4} "#))] -pub(crate) fn serialize_10_int(v: &[I16]) -> (U8, U8, U8, U8, U8) { +pub(crate) fn serialize_10_int(v: &[I16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] & 0xFF).as_u8(); let r1 = ((v[1] & 0x3F).as_u8()) << 2 | ((v[0] >> 8) & 0x03).as_u8(); let r2 = ((v[2] & 0x0F).as_u8()) << 4 | ((v[1] >> 6) & 0x0F).as_u8(); let r3 = ((v[3] & 0x03).as_u8()) << 6 | ((v[2] >> 4) & 0x3F).as_u8(); let r4 = ((v[3] >> 2) & 0xFF).as_u8(); - (r0, r1, r2, r3, r4) + ( + r0.declassify(), + r1.declassify(), + r2.declassify(), + r3.declassify(), + r4.declassify(), + ) } #[cfg_attr( @@ -395,11 +428,11 @@ pub(crate) fn serialize_10_int(v: &[I16]) -> (U8, U8, U8, U8, U8) { " #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" -let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16)) +let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16)) (out: t_Array u8 (sz 20)) (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10)) : squash ( let inputs = bit_vec_of_int_t_array v 10 in - let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in + let outputs = bit_vec_of_int_t_array (serialize_10_ ({ f_elements = v }) out <: t_Array u8 (sz 20)) 8 in (forall (i: nat {i < 160}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -409,9 +442,9 @@ let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16)) ) )] #[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma +val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 20)) : Lemma (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) + (ensures bit_vec_of_int_t_array (serialize_10_ inputs out <: t_Array u8 (sz 20)) 8 == bit_vec_of_int_t_array inputs.f_elements 10) "))] #[cfg_attr( hax, @@ -419,25 +452,24 @@ val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por r#" #push-options "--z3rlimit 300" -let serialize_10_lemma inputs = - serialize_10_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8) +let serialize_10_lemma inputs out = + serialize_10_bit_vec_lemma inputs.f_elements out (); + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_10_ inputs out <: t_Array u8 (sz 20)) 8) (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10)) #pop-options "# ) )] +#[hax_lib::requires(out.len() == 20)] +#[hax_lib::ensures(|_| future(out).len() == 20)] #[inline(always)] -pub(crate) fn serialize_10(v: PortableVector) -> [U8; 20] { - let r0_4 = serialize_10_int(&v.elements[0..4]); - let r5_9 = serialize_10_int(&v.elements[4..8]); - let r10_14 = serialize_10_int(&v.elements[8..12]); - let r15_19 = serialize_10_int(&v.elements[12..16]); - [ - r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, r10_14.0, - r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4, - ] +pub(crate) fn serialize_10(v: &PortableVector, out: &mut [u8]) { + debug_assert!(out.len() == 20); + (out[0], out[1], out[2], out[3], out[4]) = serialize_10_int(&v.elements[0..4]); + (out[5], out[6], out[7], out[8], out[9]) = serialize_10_int(&v.elements[4..8]); + (out[10], out[11], out[12], out[13], out[14]) = serialize_10_int(&v.elements[8..12]); + (out[15], out[16], out[17], out[18], out[19]) = serialize_10_int(&v.elements[12..16]); } #[inline(always)] @@ -463,18 +495,18 @@ pub(crate) fn deserialize_10_int(bytes: &[U8]) -> (I16, I16, I16, I16, I16, I16, r#" #push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) +let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in + let outputs = bit_vec_of_int_t_array (deserialize_10_ v out).f_elements 10 in (forall (i: nat {i < 160}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) -let deserialize_10_bit_vec_lemma_bounded (v: t_Array u8 (sz 20)) +let deserialize_10_bit_vec_lemma_bounded (v: t_Array u8 (sz 20)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( - let result = ${deserialize_10} v in + let result = deserialize_10_ v out in (forall (i: nat {i < 16}). Rust_primitives.bounded (Seq.index result.f_elements i) 10) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -489,8 +521,9 @@ let deserialize_10_bit_vec_lemma_bounded (v: t_Array u8 (sz 20)) hax_lib::fstar::after( interface, r#" -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures (let result = ${deserialize_10} inputs in +val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Lemma + (ensures (let result = deserialize_10_ inputs out in bit_vec_of_int_t_array result.f_elements 10 == bit_vec_of_int_t_array inputs 8 /\ (forall i. Rust_primitives.bounded (Seq.index result.f_elements i) 10))) "# @@ -502,10 +535,10 @@ val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma r#" #push-options "--z3rlimit 300" -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - deserialize_10_bit_vec_lemma_bounded inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10) +let deserialize_10_lemma inputs out = + deserialize_10_bit_vec_lemma inputs out; + deserialize_10_bit_vec_lemma_bounded inputs out; + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_10_ inputs out).f_elements 10) (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) #pop-options @@ -516,22 +549,34 @@ let deserialize_10_lemma inputs = ${bytes.len() == 20} "#))] #[inline(always)] -pub(crate) fn deserialize_10(bytes: &[U8]) -> PortableVector { - let v0_7 = deserialize_10_int(&bytes[0..10]); - let v8_15 = deserialize_10_int(&bytes[10..20]); - PortableVector { - elements: [ - v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1, - v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7, - ], - } +pub(crate) fn deserialize_10(bytes: &[U8], out: &mut PortableVector) { + ( + out.elements[0], + out.elements[1], + out.elements[2], + out.elements[3], + out.elements[4], + out.elements[5], + out.elements[6], + out.elements[7], + ) = deserialize_10_int(&bytes[0..10]); + ( + out.elements[8], + out.elements[9], + out.elements[10], + out.elements[11], + out.elements[12], + out.elements[13], + out.elements[14], + out.elements[15], + ) = deserialize_10_int(&bytes[10..20]); } #[inline(always)] #[hax_lib::requires(fstar!(r#" ${v.len() == 8} "#))] -pub(crate) fn serialize_11_int(v: &[I16]) -> (U8, U8, U8, U8, U8, U8, U8, U8, U8, U8, U8) { +pub(crate) fn serialize_11_int(v: &[I16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) { let r0 = v[0].as_u8(); let r1 = ((v[1] & 0x1F).as_u8()) << 3 | ((v[0] >> 8).as_u8()); let r2 = ((v[2] & 0x3).as_u8()) << 6 | ((v[1] >> 5).as_u8()); @@ -543,18 +588,31 @@ pub(crate) fn serialize_11_int(v: &[I16]) -> (U8, U8, U8, U8, U8, U8, U8, U8, U8 let r8 = ((v[6] & 0x3F).as_u8()) << 2 | (v[5] >> 9).as_u8(); let r9 = ((v[7] & 0x7).as_u8()) << 5 | (v[6] >> 6).as_u8(); let r10 = (v[7] >> 3).as_u8(); - (r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10) + ( + r0.declassify(), + r1.declassify(), + r2.declassify(), + r3.declassify(), + r4.declassify(), + r5.declassify(), + r6.declassify(), + r7.declassify(), + r8.declassify(), + r9.declassify(), + r10.declassify(), + ) } #[inline(always)] -pub(crate) fn serialize_11(v: PortableVector) -> [U8; 22] { - let r0_10 = serialize_11_int(&v.elements[0..8]); - let r11_21 = serialize_11_int(&v.elements[8..16]); - [ - r0_10.0, r0_10.1, r0_10.2, r0_10.3, r0_10.4, r0_10.5, r0_10.6, r0_10.7, r0_10.8, r0_10.9, - r0_10.10, r11_21.0, r11_21.1, r11_21.2, r11_21.3, r11_21.4, r11_21.5, r11_21.6, r11_21.7, - r11_21.8, r11_21.9, r11_21.10, - ] +pub(crate) fn serialize_11(v: &PortableVector, out: &mut [u8]) { + debug_assert!(out.len() == 22); + ( + out[0], out[1], out[2], out[3], out[4], out[5], out[6], out[7], out[8], out[9], out[10], + ) = serialize_11_int(&v.elements[0..8]); + ( + out[11], out[12], out[13], out[14], out[15], out[16], out[17], out[18], out[19], out[20], + out[21], + ) = serialize_11_int(&v.elements[8..16]); } #[inline(always)] @@ -579,26 +637,38 @@ pub(crate) fn deserialize_11_int(bytes: &[U8]) -> (I16, I16, I16, I16, I16, I16, ${bytes.len() == 22} "#))] #[inline(always)] -pub(crate) fn deserialize_11(bytes: &[U8]) -> PortableVector { - let v0_7 = deserialize_11_int(&bytes[0..11]); - let v8_15 = deserialize_11_int(&bytes[11..22]); - PortableVector { - elements: [ - v0_7.0, v0_7.1, v0_7.2, v0_7.3, v0_7.4, v0_7.5, v0_7.6, v0_7.7, v8_15.0, v8_15.1, - v8_15.2, v8_15.3, v8_15.4, v8_15.5, v8_15.6, v8_15.7, - ], - } +pub(crate) fn deserialize_11(bytes: &[U8], out: &mut PortableVector) { + ( + out.elements[0], + out.elements[1], + out.elements[2], + out.elements[3], + out.elements[4], + out.elements[5], + out.elements[6], + out.elements[7], + ) = deserialize_11_int(&bytes[0..11]); + ( + out.elements[8], + out.elements[9], + out.elements[10], + out.elements[11], + out.elements[12], + out.elements[13], + out.elements[14], + out.elements[15], + ) = deserialize_11_int(&bytes[11..22]); } #[inline(always)] #[hax_lib::requires(fstar!(r#" ${v.len() == 2} "#))] -pub(crate) fn serialize_12_int(v: &[I16]) -> (U8, U8, U8) { +pub(crate) fn serialize_12_int(v: &[I16]) -> (u8, u8, u8) { let r0 = (v[0] & 0xFF).as_u8(); let r1 = ((v[0] >> 8) | ((v[1] & 0x0F) << 4)).as_u8(); let r2 = ((v[1] >> 4) & 0xFF).as_u8(); - (r0, r1, r2) + (r0.declassify(), r1.declassify(), r2.declassify()) } #[cfg_attr( @@ -607,11 +677,11 @@ pub(crate) fn serialize_12_int(v: &[I16]) -> (U8, U8, U8) { r#" #push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" -let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16)) +let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16)) (out: t_Array u8 (sz 24)) (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12)) : squash ( let inputs = bit_vec_of_int_t_array v 12 in - let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in + let outputs = bit_vec_of_int_t_array (serialize_12_ ({ f_elements = v }) out <: t_Array _ (sz 24)) 8 in (forall (i: nat {i < 192}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -621,9 +691,9 @@ let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16)) ) )] #[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma +val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 24)) : Lemma (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) + (ensures bit_vec_of_int_t_array (serialize_12_ inputs out <: t_Array u8 (sz 24)) 8 == bit_vec_of_int_t_array inputs.f_elements 12) "))] #[cfg_attr( hax, @@ -631,30 +701,28 @@ val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por " #push-options \"--z3rlimit 300\" -let serialize_12_lemma inputs = - serialize_12_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8) +let serialize_12_lemma inputs out = + serialize_12_bit_vec_lemma inputs.f_elements out (); + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_12_ inputs out <: t_Array u8 (sz 24)) 8) (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12)) #pop-options " ) )] +#[hax_lib::requires(out.len() == 24)] +#[hax_lib::ensures(|_| future(out).len() == 24)] #[inline(always)] -pub(crate) fn serialize_12(v: PortableVector) -> [U8; 24] { - let r0_2 = serialize_12_int(&v.elements[0..2]); - let r3_5 = serialize_12_int(&v.elements[2..4]); - let r6_8 = serialize_12_int(&v.elements[4..6]); - let r9_11 = serialize_12_int(&v.elements[6..8]); - let r12_14 = serialize_12_int(&v.elements[8..10]); - let r15_17 = serialize_12_int(&v.elements[10..12]); - let r18_20 = serialize_12_int(&v.elements[12..14]); - let r21_23 = serialize_12_int(&v.elements[14..16]); - [ - r0_2.0, r0_2.1, r0_2.2, r3_5.0, r3_5.1, r3_5.2, r6_8.0, r6_8.1, r6_8.2, r9_11.0, r9_11.1, - r9_11.2, r12_14.0, r12_14.1, r12_14.2, r15_17.0, r15_17.1, r15_17.2, r18_20.0, r18_20.1, - r18_20.2, r21_23.0, r21_23.1, r21_23.2, - ] +pub(crate) fn serialize_12(v: &PortableVector, out: &mut [u8]) { + debug_assert!(out.len() == 24); + (out[0], out[1], out[2]) = serialize_12_int(&v.elements[0..2]); + (out[3], out[4], out[5]) = serialize_12_int(&v.elements[2..4]); + (out[6], out[7], out[8]) = serialize_12_int(&v.elements[4..6]); + (out[9], out[10], out[11]) = serialize_12_int(&v.elements[6..8]); + (out[12], out[13], out[14]) = serialize_12_int(&v.elements[8..10]); + (out[15], out[16], out[17]) = serialize_12_int(&v.elements[10..12]); + (out[18], out[19], out[20]) = serialize_12_int(&v.elements[12..14]); + (out[21], out[22], out[23]) = serialize_12_int(&v.elements[14..16]); } #[inline(always)] @@ -677,17 +745,17 @@ pub(crate) fn deserialize_12_int(bytes: &[U8]) -> (I16, I16) { " #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) +let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in + let outputs = bit_vec_of_int_t_array (deserialize_12_ v out).f_elements 12 in (forall (i: nat {i < 192}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) -let deserialize_12_bit_vec_lemma_bounded (v: t_Array u8 (sz 24)) +let deserialize_12_bit_vec_lemma_bounded (v: t_Array u8 (sz 24)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : squash ( - let result = ${deserialize_12} v in + let result = deserialize_12_ v out in (forall (i: nat {i < 16}). Rust_primitives.bounded (Seq.index result.f_elements i) 1) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -703,8 +771,8 @@ let deserialize_12_bit_vec_lemma_bounded (v: t_Array u8 (sz 24)) hax_lib::fstar::after( interface, r#" -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures (let result = ${deserialize_12} inputs in +val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma + (ensures (let result = deserialize_12_ inputs out in bit_vec_of_int_t_array result.f_elements 12 == bit_vec_of_int_t_array inputs 8 /\ (forall i. Rust_primitives.bounded (Seq.index result.f_elements i) 12))) "# @@ -716,10 +784,10 @@ val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma " #push-options \"--z3rlimit 300\" -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - deserialize_12_bit_vec_lemma_bounded inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12) +let deserialize_12_lemma inputs out = + deserialize_12_bit_vec_lemma inputs out; + deserialize_12_bit_vec_lemma_bounded inputs out; + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_12_ inputs out).f_elements 12) (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) #pop-options @@ -730,19 +798,13 @@ let deserialize_12_lemma inputs = ${bytes.len() == 24} "#))] #[inline(always)] -pub(crate) fn deserialize_12(bytes: &[U8]) -> PortableVector { - let v0_1 = deserialize_12_int(&bytes[0..3]); - let v2_3 = deserialize_12_int(&bytes[3..6]); - let v4_5 = deserialize_12_int(&bytes[6..9]); - let v6_7 = deserialize_12_int(&bytes[9..12]); - let v8_9 = deserialize_12_int(&bytes[12..15]); - let v10_11 = deserialize_12_int(&bytes[15..18]); - let v12_13 = deserialize_12_int(&bytes[18..21]); - let v14_15 = deserialize_12_int(&bytes[21..24]); - PortableVector { - elements: [ - v0_1.0, v0_1.1, v2_3.0, v2_3.1, v4_5.0, v4_5.1, v6_7.0, v6_7.1, v8_9.0, v8_9.1, - v10_11.0, v10_11.1, v12_13.0, v12_13.1, v14_15.0, v14_15.1, - ], - } +pub(crate) fn deserialize_12(bytes: &[U8], out: &mut PortableVector) { + (out.elements[0], out.elements[1]) = deserialize_12_int(&bytes[0..3]); + (out.elements[2], out.elements[3]) = deserialize_12_int(&bytes[3..6]); + (out.elements[4], out.elements[5]) = deserialize_12_int(&bytes[6..9]); + (out.elements[6], out.elements[7]) = deserialize_12_int(&bytes[9..12]); + (out.elements[8], out.elements[9]) = deserialize_12_int(&bytes[12..15]); + (out.elements[10], out.elements[11]) = deserialize_12_int(&bytes[15..18]); + (out.elements[12], out.elements[13]) = deserialize_12_int(&bytes[18..21]); + (out.elements[14], out.elements[15]) = deserialize_12_int(&bytes[21..24]); } diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs index 300eba2cf..f7cbfb6e7 100644 --- a/libcrux-ml-kem/src/vector/portable/vector_type.rs +++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs @@ -19,28 +19,27 @@ pub fn zero() -> PortableVector { } #[inline(always)] -#[hax_lib::ensures(|result| fstar!(r#"${result} == ${x}.f_elements"#))] -pub fn to_i16_array(x: PortableVector) -> [I16; 16] { - x.elements +#[hax_lib::requires(fstar!(r#"Seq.length ${out} == 16"#))] +#[hax_lib::ensures(|_| fstar!(r#"${out}_future == ${x}.f_elements"#))] +pub fn to_i16_array(x: &PortableVector, out: &mut [i16]) { + debug_assert!(out.len() >= 16); + + out[0..16].copy_from_slice(&x.elements.declassify()); } #[inline(always)] #[hax_lib::requires(array.len() == 16)] -#[hax_lib::ensures(|result| fstar!(r#"${result}.f_elements == $array"#))] -pub fn from_i16_array(array: &[I16]) -> PortableVector { - PortableVector { - elements: array[0..16].try_into().unwrap(), - } +#[hax_lib::ensures(|_| fstar!(r#"${out}_future.f_elements == $array"#))] +pub fn from_i16_array(array: &[I16], out: &mut PortableVector) { + out.elements.copy_from_slice(&array[0..16]); } #[inline(always)] #[hax_lib::requires(array.len() >= 32)] -pub(super) fn from_bytes(array: &[U8]) -> PortableVector { - let mut elements = [I16(0); FIELD_ELEMENTS_IN_VECTOR]; +pub(super) fn from_bytes(array: &[U8], out: &mut PortableVector) { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - elements[i] = (array[2 * i].as_i16()) << 8 | array[2 * i + 1].as_i16(); + out.elements[i] = (array[2 * i].as_i16()) << 8 | array[2 * i + 1].as_i16(); } - PortableVector { elements } } #[inline(always)] diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs index 06d023bfe..cb526951a 100644 --- a/libcrux-ml-kem/src/vector/traits.rs +++ b/libcrux-ml-kem/src/vector/traits.rs @@ -20,41 +20,513 @@ pub trait Repr: Copy + Clone { pub trait Repr {} #[cfg(hax)] -mod spec { +pub(crate) mod spec { pub(crate) fn add_pre(lhs: &[i16; 16], rhs: &[i16; 16]) -> hax_lib::Prop { hax_lib::fstar_prop_expr!( - r#"forall i. i < 16 ==> + r#"forall i. Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs} i) + v (Seq.index ${rhs} i))"# ) } + #[hax_lib::fstar::before(r#"[@@ "opaque_to_smt"]"#)] pub(crate) fn add_post(lhs: &[i16; 16], rhs: &[i16; 16], result: &[i16; 16]) -> hax_lib::Prop { hax_lib::fstar_prop_expr!( - r#"forall i. i < 16 ==> - (v (Seq.index ${result} i) == - v (Seq.index ${lhs} i) + v (Seq.index ${rhs} i))"# + r#"forall i. + v (Seq.index ${result} i) == + v (Seq.index ${lhs} i) + v (Seq.index ${rhs} i)"# + ) + } + + pub(crate) fn sub_pre(lhs: &[i16; 16], rhs: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + Spec.Utils.is_intb (pow2 15 - 1) + (v (Seq.index ${lhs} i) - v (Seq.index ${rhs} i))"# + ) + } + + pub(crate) fn sub_post(lhs: &[i16; 16], rhs: &[i16; 16], result: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + v (Seq.index ${result} i) == + v (Seq.index ${lhs} i) - v (Seq.index ${rhs} i)"# + ) + } + + pub(crate) fn negate_pre(vec: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec} i))"# + ) + } + + pub(crate) fn negate_post(vec: &[i16; 16], result: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + v (Seq.index ${result} i) == + - (v (Seq.index ${vec} i))"# + ) + } + + pub(crate) fn multiply_by_constant_pre(vec: &[i16; 16], c: i16) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec} i) * v $c)"# + ) + } + + pub(crate) fn multiply_by_constant_post( + vec: &[i16; 16], + c: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + v (Seq.index ${result} i) == + v (Seq.index ${vec} i) * v $c"# + ) + } + + pub(crate) fn bitwise_and_with_constant_constant_post( + vec: &[i16; 16], + c: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"$result == + Spec.Utils.map_array (fun x -> x &. $c) $vec"# + ) + } + + pub(crate) fn shift_right_post( + vec: &[i16; 16], + shift_by: i32, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"(v $shift_by >= 0 /\ v $shift_by < 16) ==> + $result == + Spec.Utils.map_array (fun x -> x >>! ${shift_by}) $vec"# + ) + } + + pub(crate) fn cond_subtract_3329_pre(vec: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) $vec"#) + } + + pub(crate) fn cond_subtract_3329_post(vec: &[i16; 16], result: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"$result == + Spec.Utils.map_array (fun x -> + if x >=. (mk_i16 3329) then + x -! (mk_i16 3329) + else x) $vec"# + ) + } + + pub(crate) fn barrett_reduce_pre(vec: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array 28296 $vec"#) + } + + pub(crate) fn barrett_reduce_post(vec: &[i16; 16], result: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"Spec.Utils.is_i16b_array 3328 ${result} /\ + (forall i. (v (Seq.index ${result} i) % 3329) == + (v (Seq.index ${vec} i) % 3329))"# + ) + } + + pub(crate) fn montgomery_multiply_by_constant_pre(vec: &[i16; 16], c: i16) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b 1664 c"#) + } + + pub(crate) fn montgomery_multiply_by_constant_post( + vec: &[i16; 16], + c: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"Spec.Utils.is_i16b_array 3328 ${result} /\ + (forall i. ((v (Seq.index ${result} i) % 3329)== + (v (Seq.index ${vec} i) * v ${c} * 169) % 3329))"# + ) + } + + pub(crate) fn to_unsigned_representative_pre(vec: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array 3328 ${vec}"#) + } + + pub(crate) fn to_unsigned_representative_post( + vec: &[i16; 16], + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + let x = Seq.index ${vec} i in + let y = Seq.index ${result} i in + (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329))"# + ) + } + + pub(crate) fn compress_1_pre(vec: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + v (Seq.index ${vec} i) >= 0 /\ + v (Seq.index ${vec} i) < 3329"# + ) + } + + pub(crate) fn compress_1_post(vec: &[i16; 16], result: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"forall i. bounded (Seq.index ${result} i) 1"#) + } + + pub(crate) fn compress_pre(vec: &[i16; 16], coefficient_bits: i32) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"(v $coefficient_bits == 4 \/ + v $coefficient_bits == 5 \/ + v $coefficient_bits == 10 \/ + v $coefficient_bits == 11) /\ + (forall i. + v (Seq.index $vec i) >= 0 /\ + v (Seq.index $vec i) < 3329)"# + ) + } + + pub(crate) fn compress_post( + vec: &[i16; 16], + coefficient_bits: i32, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"(v $coefficient_bits == 4 \/ + v $coefficient_bits == 5 \/ + v $coefficient_bits == 10 \/ + v $coefficient_bits == 11) ==> + (forall i. bounded (Seq.index ${result} i) (v $coefficient_bits))"# + ) + } + + pub(crate) fn decompress_1_pre(vec: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"forall i. + let x = Seq.index ${vec} i in + (x == mk_i16 0 \/ x == mk_i16 1)"# + ) + } + + pub(crate) fn decompress_ciphertext_coefficient_pre( + vec: &[i16; 16], + coefficient_bits: i32, + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#"(v $coefficient_bits == 4 \/ + v $coefficient_bits == 5 \/ + v $coefficient_bits == 10 \/ + v $coefficient_bits == 11) /\ + (forall i. + v (Seq.index $vec i) >= 0 /\ + v (Seq.index $vec i) < pow2 (v $coefficient_bits))"# + ) + } + + pub(crate) fn ntt_layer_1_step_pre( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 $zeta0 /\ Spec.Utils.is_i16b 1664 $zeta1 /\ + Spec.Utils.is_i16b 1664 $zeta2 /\ Spec.Utils.is_i16b 1664 $zeta3 /\ + Spec.Utils.is_i16b_array (11207+5*3328) ${vec}"# + ) + } + + pub(crate) fn ntt_layer_1_step_post( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array (11207+6*3328) ${result}"#) + } + + pub(crate) fn ntt_layer_2_step_pre(vec: &[i16; 16], zeta0: i16, zeta1: i16) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 $zeta0 /\ Spec.Utils.is_i16b 1664 $zeta1 /\ + Spec.Utils.is_i16b_array (11207+4*3328) ${vec}"# + ) + } + + pub(crate) fn ntt_layer_2_step_post( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array (11207+5*3328) ${result}"#) + } + + pub(crate) fn ntt_layer_3_step_pre(vec: &[i16; 16], zeta0: i16) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 $zeta0 /\ + Spec.Utils.is_i16b_array (11207+3*3328) ${vec}"# + ) + } + + pub(crate) fn ntt_layer_3_step_post( + vec: &[i16; 16], + zeta0: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array (11207+4*3328) ${result}"#) + } + + pub(crate) fn inv_ntt_layer_1_step_pre( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ + Spec.Utils.is_i16b_array (4*3328) ${vec}"# + ) + } + + pub(crate) fn inv_ntt_layer_1_step_post( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array 3328 ${result}"#) + } + + pub(crate) fn inv_ntt_layer_2_step_pre( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b_array 3328 ${vec}"# + ) + } + + pub(crate) fn inv_ntt_layer_2_step_post( + vec: &[i16; 16], + zeta0: i16, + zeta1: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array 3328 ${result}"#) + } + + pub(crate) fn inv_ntt_layer_3_step_pre(vec: &[i16; 16], zeta0: i16) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 $zeta0 /\ + Spec.Utils.is_i16b_array 3328 ${vec}"# + ) + } + + pub(crate) fn inv_ntt_layer_3_step_post( + vec: &[i16; 16], + zeta0: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array 3328 ${result}"#) + } + + pub(crate) fn ntt_multiply_pre( + lhs: &[i16; 16], + rhs: &[i16; 16], + out: &[i16; 16], + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ + Spec.Utils.is_i16b_array 3328 ${lhs} /\ + Spec.Utils.is_i16b_array 3328 ${rhs} "# + ) + } + + pub(crate) fn ntt_multiply_post( + lhs: &[i16; 16], + rhs: &[i16; 16], + out: &[i16; 16], + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Spec.Utils.is_i16b_array 3328 ${result}"#) + } + + pub(crate) fn serialize_1_pre(vec: &[i16; 16], out: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${out} == 2 /\ + Spec.MLKEM.serialize_pre 1 $vec"# + ) + } + + pub(crate) fn serialize_1_post(vec: &[i16; 16], out: &[u8], result: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${result} == 2 /\ + (Spec.MLKEM.serialize_pre 1 $vec ==> + Spec.MLKEM.serialize_post 1 ${vec} ${result})"# + ) + } + + pub(crate) fn deserialize_1_pre(input: &[u8], out: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Seq.length ${input} == 2"#) + } + + pub(crate) fn deserialize_1_post( + input: &[u8], + out: &[i16; 16], + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${input} == 2 ==> + Spec.MLKEM.deserialize_post 1 ${input} ${result}"# + ) + } + + pub(crate) fn serialize_4_pre(vec: &[i16; 16], out: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${out} == 8 /\ + Spec.MLKEM.serialize_pre 4 $vec"# + ) + } + + pub(crate) fn serialize_4_post(vec: &[i16; 16], out: &[u8], result: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${result} == 8 /\ + (Spec.MLKEM.serialize_pre 4 $vec ==> + Spec.MLKEM.serialize_post 4 ${vec} ${result})"# + ) + } + + pub(crate) fn deserialize_4_pre(input: &[u8], out: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Seq.length ${input} == 8"#) + } + + pub(crate) fn deserialize_4_post( + input: &[u8], + out: &[i16; 16], + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${input} == 8 ==> + Spec.MLKEM.deserialize_post 4 ${input} ${result}"# + ) + } + + pub(crate) fn serialize_10_pre(vec: &[i16; 16], out: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${out} == 20 /\ + Spec.MLKEM.serialize_pre 10 $vec"# + ) + } + + pub(crate) fn serialize_10_post(vec: &[i16; 16], out: &[u8], result: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${result} == 20 /\ + (Spec.MLKEM.serialize_pre 10 $vec ==> + Spec.MLKEM.serialize_post 10 ${vec} ${result})"# + ) + } + + pub(crate) fn deserialize_10_pre(input: &[u8], out: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Seq.length ${input} == 20"#) + } + + pub(crate) fn deserialize_10_post( + input: &[u8], + out: &[i16; 16], + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${input} == 20 ==> + Spec.MLKEM.deserialize_post 10 ${input} ${result}"# + ) + } + + pub(crate) fn serialize_12_pre(vec: &[i16; 16], out: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${out} == 24 /\ + Spec.MLKEM.serialize_pre 12 $vec"# + ) + } + + pub(crate) fn serialize_12_post(vec: &[i16; 16], out: &[u8], result: &[u8]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${result} == 24 /\ + (Spec.MLKEM.serialize_pre 12 $vec ==> + Spec.MLKEM.serialize_post 12 ${vec} ${result})"# + ) + } + + pub(crate) fn deserialize_12_pre(input: &[u8], out: &[i16; 16]) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!(r#"Seq.length ${input} == 24"#) + } + + pub(crate) fn deserialize_12_post( + input: &[u8], + out: &[i16; 16], + result: &[i16; 16], + ) -> hax_lib::Prop { + hax_lib::fstar_prop_expr!( + r#" + Seq.length ${input} == 24 ==> + Spec.MLKEM.deserialize_post 12 ${input} ${result}"# ) } } #[hax_lib::attributes] +// XXX: Want to drop `Copy` bound here, but can't, because of Eurydice issue. pub trait Operations: Copy + Clone + Repr { #[allow(non_snake_case)] #[requires(true)] - #[ensures(|result| fstar!(r#"f_repr $result == Seq.create 16 (mk_i16 0)"#))] + #[ensures(|result| result.repr() == [0i16; 16])] fn ZERO() -> Self; #[requires(array.len() == 16)] - #[ensures(|result| fstar!(r#"f_repr $result == $array"#))] - fn from_i16_array(array: &[i16]) -> Self; + #[ensures(|_| future(out).repr() == array)] + fn from_i16_array(array: &[i16], out: &mut Self); - #[requires(true)] - #[ensures(|result| fstar!(r#"f_repr $x == $result"#))] - fn to_i16_array(x: Self) -> [i16; 16]; + #[requires(out.len() == 16)] + #[ensures(|_| future(out) == x.repr())] + fn to_i16_array(x: &Self, out: &mut [i16]); #[requires(array.len() >= 32)] - fn from_bytes(array: &[u8]) -> Self; + fn from_bytes(array: &[u8], out: &mut Self); #[requires(bytes.len() >= 32)] #[ensures(|_| future(bytes).len() == bytes.len())] @@ -62,155 +534,174 @@ pub trait Operations: Copy + Clone + Repr { // Basic arithmetic #[requires(spec::add_pre(&lhs.repr(), &rhs.repr()))] - #[ensures(|result| spec::add_post(&lhs.repr(), &rhs.repr(), &result.repr()))] - fn add(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!(r#"forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"#))] - fn sub(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!(r#"forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"#))] - #[ensures(|result| fstar!(r#"forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${vec}) i) * v c)"#))] - fn multiply_by_constant(vec: Self, c: i16) -> Self; + #[ensures(|_| spec::add_post(&lhs.repr(), &rhs.repr(), &future(lhs).repr()))] + fn add(lhs: &mut Self, rhs: &Self); + + #[requires(spec::sub_pre(&lhs.repr(), &rhs.repr()))] + #[ensures(|_| spec::sub_post(&lhs.repr(), &rhs.repr(), &future(lhs).repr()))] + fn sub(lhs: &mut Self, rhs: &Self); + + #[requires(spec::negate_pre(&vec.repr()))] + #[ensures(|_| spec::negate_post(&vec.repr(), &future(vec).repr()))] + fn negate(vec: &mut Self); + + #[requires(spec::multiply_by_constant_pre(&vec.repr(), c))] + #[ensures(|_| spec::multiply_by_constant_post(&vec.repr(), c, &future(vec).repr()))] + fn multiply_by_constant(vec: &mut Self, c: i16); + + // Bitwise operations + #[requires(true)] + #[ensures(|_| spec::bitwise_and_with_constant_constant_post(&vec.repr(), c, &future(vec).repr()))] + fn bitwise_and_with_constant(vec: &mut Self, c: i16); + + #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] + #[ensures(|_| spec::shift_right_post(&vec.repr(), SHIFT_BY, &future(vec).repr()))] + fn shift_right(vec: &mut Self); // Modular operations - #[requires(fstar!(r#"Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"#))] - #[ensures(|result| fstar!(r#"f_repr $result == Spec.Utils.map_array (fun x -> if x >=. (mk_i16 3329) then x -! (mk_i16 3329) else x) (f_repr $v)"#))] - fn cond_subtract_3329(v: Self) -> Self; - - #[requires(fstar!(r#"Spec.Utils.is_i16b_array 28296 (f_repr $vector)"#))] - #[ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr ${result}) /\ - (forall i. (v (Seq.index (f_repr ${result}) i) % 3329) == - (v (Seq.index (f_repr ${vector})i) % 3329))"#))] - fn barrett_reduce(vector: Self) -> Self; - - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 constant"#))] - #[ensures(|result| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr ${result}) /\ - (forall i. i < 16 ==> ((v (Seq.index (f_repr ${result}) i) % 3329)== - (v (Seq.index (f_repr ${vector}) i) * v ${constant} * 169) % 3329))"#))] - fn montgomery_multiply_by_constant(vector: Self, constant: i16) -> Self; - - #[requires(fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr a)"#))] - #[ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> - (let x = Seq.index (f_repr ${a}) i in - let y = Seq.index (f_repr ${result}) i in - (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))"#))] - fn to_unsigned_representative(a: Self) -> Self; + #[requires(spec::cond_subtract_3329_pre(&vec.repr()))] + #[ensures(|_| spec::cond_subtract_3329_post(&vec.repr(), &future(vec).repr()))] + fn cond_subtract_3329(vec: &mut Self); + + #[requires(spec::barrett_reduce_pre(&vec.repr()))] + #[ensures(|_| spec::barrett_reduce_post(&vec.repr(), &future(vec).repr()))] + fn barrett_reduce(vec: &mut Self); + + #[requires(spec::montgomery_multiply_by_constant_pre(&vec.repr(), c))] + #[ensures(|_| spec::montgomery_multiply_by_constant_post(&vec.repr(), c, &future(vec).repr()))] + fn montgomery_multiply_by_constant(vec: &mut Self, c: i16); + + #[requires(spec::to_unsigned_representative_pre(&vec.repr()))] + #[ensures(|result| spec::to_unsigned_representative_post(&vec.repr(), &result.repr()))] + fn to_unsigned_representative(vec: Self) -> Self; // Compression - #[requires(fstar!(r#"forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\ - v (Seq.index (f_repr $a) i) < 3329"#))] - #[ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"#))] - fn compress_1(a: Self) -> Self; - #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ - v $COEFFICIENT_BITS == 5 \/ - v $COEFFICIENT_BITS == 10 \/ - v $COEFFICIENT_BITS == 11) /\ - (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\ - v (Seq.index (f_repr $a) i) < 3329)"#))] - #[ensures(|result| fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ - v $COEFFICIENT_BITS == 5 \/ - v $COEFFICIENT_BITS == 10 \/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"#))] - fn compress(a: Self) -> Self; - - #[hax_lib::requires(fstar!(r#"forall (i:nat). i < 16 ==> - (let x = Seq.index (f_repr ${a}) i in - (x == mk_i16 0 \/ x == mk_i16 1))"#))] - fn decompress_1(a: Self) -> Self; - - #[requires(fstar!(r#"(v $COEFFICIENT_BITS == 4 \/ - v $COEFFICIENT_BITS == 5 \/ - v $COEFFICIENT_BITS == 10 \/ - v $COEFFICIENT_BITS == 11) /\ - (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\ - v (Seq.index (f_repr $a) i) < pow2 (v $COEFFICIENT_BITS))"#))] - fn decompress_ciphertext_coefficient(a: Self) -> Self; + #[requires(spec::compress_1_pre(&vec.repr()))] + #[ensures(|_| spec::compress_1_post(&vec.repr(), &future(vec).repr()))] + fn compress_1(vec: &mut Self); + + #[requires(spec::compress_pre(&vec.repr(), COEFFICIENT_BITS))] + #[ensures(|_| spec::compress_post(&vec.repr(), COEFFICIENT_BITS, &future(vec).repr()))] + fn compress(vec: &mut Self); + + #[hax_lib::requires(spec::decompress_1_pre(&vec.repr()))] + fn decompress_1(vec: Self) -> Self; + + #[requires(spec::decompress_ciphertext_coefficient_pre(&vec.repr(), COEFFICIENT_BITS))] + fn decompress_ciphertext_coefficient(vec: &mut Self); // NTT - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"#))] - fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"#))] - fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"#))] - fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))] - fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))] - fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta/\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))] - fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - - #[requires(fstar!(r#"Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (f_repr ${lhs}) /\ - Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "#))] - #[ensures(|out| fstar!(r#"Spec.Utils.is_i16b_array 3328 (f_repr $out)"#))] - fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) - -> Self; + #[requires(spec::ntt_layer_1_step_pre(&vec.repr(), zeta0, zeta1, zeta2, zeta3))] + #[ensures(|_| spec::ntt_layer_1_step_post(&vec.repr(), zeta0, zeta1, zeta2, zeta3, &future(vec).repr()))] + fn ntt_layer_1_step(vec: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16); + + #[requires(spec::ntt_layer_2_step_pre(&vec.repr(), zeta0, zeta1))] + #[ensures(|_| spec::ntt_layer_2_step_post(&vec.repr(), zeta0, zeta1, &future(vec).repr()))] + fn ntt_layer_2_step(vec: &mut Self, zeta0: i16, zeta1: i16); + + #[requires(spec::ntt_layer_3_step_pre(&vec.repr(), zeta0))] + #[ensures(|_| spec::ntt_layer_3_step_post(&vec.repr(), zeta0, &future(vec).repr()))] + fn ntt_layer_3_step(vec: &mut Self, zeta0: i16); + + #[requires(spec::inv_ntt_layer_1_step_pre(&vec.repr(), zeta0, zeta1, zeta2, zeta3))] + #[ensures(|_| spec::inv_ntt_layer_1_step_post(&vec.repr(), zeta0, zeta1, zeta2, zeta3, &future(vec).repr()))] + fn inv_ntt_layer_1_step(vec: &mut Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16); + + #[requires(spec::inv_ntt_layer_2_step_pre(&vec.repr(), zeta0, zeta1))] + #[ensures(|_| spec::inv_ntt_layer_2_step_post(&vec.repr(), zeta0, zeta1, &future(vec).repr()))] + fn inv_ntt_layer_2_step(vec: &mut Self, zeta0: i16, zeta1: i16); + + #[requires(spec::inv_ntt_layer_3_step_pre(&vec.repr(), zeta0))] + #[ensures(|_| spec::inv_ntt_layer_3_step_post(&vec.repr(), zeta0, &future(vec).repr()))] + fn inv_ntt_layer_3_step(vec: &mut Self, zeta0: i16); + + #[requires(spec::ntt_multiply_pre(&lhs.repr(), &rhs.repr(), &out.repr(),zeta0, zeta1, zeta2, zeta3))] + #[ensures(|_| spec::ntt_multiply_post(&lhs.repr(), &rhs.repr(), &out.repr(),zeta0, zeta1, zeta2, zeta3, &future(out).repr()))] + fn ntt_multiply( + lhs: &Self, + rhs: &Self, + out: &mut Self, + zeta0: i16, + zeta1: i16, + zeta2: i16, + zeta3: i16, + ); // Serialization and deserialization - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 1 (f_repr $a)"#))] - #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"#))] - fn serialize_1(a: Self) -> [u8; 2]; - #[requires(a.len() == 2)] - #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"#))] - fn deserialize_1(a: &[u8]) -> Self; - - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 4 (f_repr $a)"#))] - #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"#))] - fn serialize_4(a: Self) -> [u8; 8]; - #[requires(a.len() == 8)] - #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"#))] - fn deserialize_4(a: &[u8]) -> Self; - - fn serialize_5(a: Self) -> [u8; 10]; - #[requires(a.len() == 10)] - fn deserialize_5(a: &[u8]) -> Self; - - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 10 (f_repr $a)"#))] - #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"#))] - fn serialize_10(a: Self) -> [u8; 20]; - #[requires(a.len() == 20)] - #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"#))] - fn deserialize_10(a: &[u8]) -> Self; - - fn serialize_11(a: Self) -> [u8; 22]; - #[requires(a.len() == 22)] - fn deserialize_11(a: &[u8]) -> Self; - - #[requires(fstar!(r#"Spec.MLKEM.serialize_pre 12 (f_repr $a)"#))] - #[ensures(|result| fstar!(r#"Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"#))] - fn serialize_12(a: Self) -> [u8; 24]; - #[requires(a.len() == 24)] - #[ensures(|result| fstar!(r#"sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"#))] - fn deserialize_12(a: &[u8]) -> Self; + #[requires(spec::serialize_1_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_1_post(&vec.repr(), &out, &future(out)))] + fn serialize_1(vec: &Self, out: &mut [u8]); + + #[requires(spec::deserialize_1_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_1_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_1(input: &[u8], out: &mut Self); + + #[requires(spec::serialize_4_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_4_post(&vec.repr(), &out, &future(out)))] + fn serialize_4(vec: &Self, out: &mut [u8]); + + #[requires(spec::deserialize_4_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_4_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_4(input: &[u8], out: &mut Self); + + fn serialize_5(vec: &Self, out: &mut [u8]); + + #[requires(input.len() == 10)] + fn deserialize_5(input: &[u8], out: &mut Self); + + #[requires(spec::serialize_10_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_10_post(&vec.repr(), &out, &future(out)))] + fn serialize_10(vec: &Self, out: &mut [u8]); + + #[requires(spec::deserialize_10_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_10_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_10(input: &[u8], out: &mut Self); + + fn serialize_11(vec: &Self, out: &mut [u8]); + + #[requires(input.len() == 22)] + fn deserialize_11(input: &[u8], out: &mut Self); + + #[requires(spec::serialize_12_pre(&vec.repr(), &out))] + #[ensures(|_| spec::serialize_12_post(&vec.repr(), &out, &future(out)))] + fn serialize_12(vec: &Self, out: &mut [u8]); + + #[requires(spec::deserialize_12_pre(&input, &out.repr()))] + #[ensures(|_| spec::deserialize_12_post(&input, &out.repr(), &future(out).repr()))] + fn deserialize_12(input: &[u8], out: &mut Self); #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!(r#"Seq.length $out_future == Seq.length $out /\ v $result <= 16"#) - )] + #[ensures(|result| result <= 16 && future(out).len() == 16)] fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; } + +// hax does not support trait with default implementations, so we use the following pattern +#[hax_lib::requires(fstar!(r#"Spec.Utils.is_i16b 1664 $fer"#))] +#[inline(always)] +pub fn montgomery_multiply_fe(v: &mut T, fer: i16) { + T::montgomery_multiply_by_constant(v, fer) +} + +#[hax_lib::fstar::options("--z3rlimit 200 --split_queries always")] +#[hax_lib::requires(fstar!(r#"forall i. let x = Seq.index (i0._super_6081346371236564305.f_repr ${vec}) i in + (x == mk_i16 0 \/ x == mk_i16 1)"#))] +#[inline(always)] +pub fn decompress_1(vec: &mut T) { + hax_lib::fstar!( + r#"assert(forall i. let x = Seq.index (i0._super_6081346371236564305.f_repr ${vec}) i in + ((0 - v x) == 0 \/ (0 - v x) == -1))"# + ); + hax_lib::fstar!( + r#"assert(forall i. i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (0 - v (Seq.index (i0._super_6081346371236564305.f_repr ${vec}) i)))"# + ); + + T::negate(vec); + hax_lib::fstar!( + r#"assert(forall i. Seq.index (i0._super_6081346371236564305.f_repr ${vec}) i == mk_i16 0 \/ + Seq.index (i0._super_6081346371236564305.f_repr ${vec}) i == mk_i16 (-1))"# + ); + hax_lib::fstar!(r#"assert (i0.f_bitwise_and_with_constant_pre ${vec} (mk_i16 1665))"#); + T::bitwise_and_with_constant(vec, 1665); +} diff --git a/libcrux-ml-kem/tests/self.rs b/libcrux-ml-kem/tests/self.rs index 48136f844..68e29f070 100644 --- a/libcrux-ml-kem/tests/self.rs +++ b/libcrux-ml-kem/tests/self.rs @@ -108,14 +108,14 @@ macro_rules! impl_consistency_unpacked { let shared_secret_decapsulated = p::unpacked::decapsulate(&key_pair_unpacked, &ciphertext); let shared_secret = p::decapsulate(key_pair.private_key(), &ciphertext); - assert_eq!( - shared_secret_unpacked, shared_secret_decapsulated, - "lhs: shared_secret_unpacked, rhs: shared_secret_decapsulated" - ); assert_eq!( shared_secret, shared_secret_decapsulated, "lhs: shared_secret, rhs: shared_secret_decapsulated" ); + assert_eq!( + shared_secret_unpacked, shared_secret_decapsulated, + "lhs: shared_secret_unpacked, rhs: shared_secret_decapsulated" + ); // Check with re-assembled new_kp let shared_secret_decapsulated = p::unpacked::decapsulate(&new_kp, &ciphertext); @@ -422,11 +422,11 @@ impl_consistency_unpacked!( libcrux_ml_kem::mlkem512::neon ); -#[cfg(all(feature = "mlkem512", feature = "simd256",))] -impl_consistency_unpacked!( - consistency_unpacked_512_avx2, - libcrux_ml_kem::mlkem512::avx2 -); +// #[cfg(all(feature = "mlkem512", feature = "simd256",))] +// impl_consistency_unpacked!( +// consistency_unpacked_512_avx2, +// libcrux_ml_kem::mlkem512::avx2 +// ); #[cfg(all(feature = "mlkem1024"))] impl_consistency_unpacked!( @@ -440,11 +440,11 @@ impl_consistency_unpacked!( libcrux_ml_kem::mlkem1024::neon ); -#[cfg(all(feature = "mlkem1024", feature = "simd256",))] -impl_consistency_unpacked!( - consistency_unpacked_1024_avx2, - libcrux_ml_kem::mlkem1024::avx2 -); +// #[cfg(all(feature = "mlkem1024", feature = "simd256",))] +// impl_consistency_unpacked!( +// consistency_unpacked_1024_avx2, +// libcrux_ml_kem::mlkem1024::avx2 +// ); #[cfg(all(feature = "mlkem768",))] impl_consistency_unpacked!( @@ -458,11 +458,11 @@ impl_consistency_unpacked!( libcrux_ml_kem::mlkem768::neon ); -#[cfg(all(feature = "mlkem768", feature = "simd256",))] -impl_consistency_unpacked!( - consistency_unpacked_768_avx2, - libcrux_ml_kem::mlkem768::avx2 -); +// #[cfg(all(feature = "mlkem768", feature = "simd256",))] +// impl_consistency_unpacked!( +// consistency_unpacked_768_avx2, +// libcrux_ml_kem::mlkem768::avx2 +// ); #[cfg(feature = "mlkem512")] impl_modified_ciphertext!( diff --git a/libcrux-sha3/src/generic_keccak/simd256.rs b/libcrux-sha3/src/generic_keccak/simd256.rs index b0c767935..86e42f27e 100644 --- a/libcrux-sha3/src/generic_keccak/simd256.rs +++ b/libcrux-sha3/src/generic_keccak/simd256.rs @@ -10,7 +10,9 @@ pub(crate) fn keccak4( out2: &mut [u8], out3: &mut [u8], ) { - debug_assert!(out0.len() == out1.len() && out0.len() == out2.len() && out0.len() == out3.len()); + debug_assert_eq!(out0.len(), out1.len()); + debug_assert_eq!(out0.len(), out2.len()); + debug_assert_eq!(out0.len(), out3.len()); debug_assert!( data[0].len() == data[1].len() && data[0].len() == data[2].len() diff --git a/libcrux-sha3/src/simd/arm64.rs b/libcrux-sha3/src/simd/arm64.rs index c4cde8921..6ce3832c4 100644 --- a/libcrux-sha3/src/simd/arm64.rs +++ b/libcrux-sha3/src/simd/arm64.rs @@ -106,7 +106,8 @@ pub(crate) fn store_block( start: usize, len: usize, ) { - debug_assert!(len <= RATE && start + len <= out0.len() && out0.len() == out1.len()); + debug_assert_eq!(out0.len(), out1.len()); + debug_assert!(len <= RATE && start + len <= out0.len()); for i in 0..len / 16 { let i0 = (2 * i) / 5; let j0 = (2 * i) % 5;