From c04abb695d0a73b86ee4c5f46c95694ffdd0734c Mon Sep 17 00:00:00 2001 From: Maxime Buyse Date: Tue, 3 Sep 2024 10:05:15 +0200 Subject: [PATCH 01/19] Remove unsafe code from include to avoid being rejected by hax. --- libcrux-ml-kem/hax.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index 534d921cc..b95b864ab 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -31,7 +31,7 @@ class extractAction(argparse.Action): def __call__(self, parser, args, values, option_string=None) -> None: # Extract platform interfaces - include_str = "+:**" + include_str = "+:** -**::x86::init::cpuid -**::x86::init::cpuid_count" interface_include = "+**" cargo_hax_into = [ "cargo", From 705320f047f84bd4b4c65a3fe503bbde182cd950 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Tue, 3 Sep 2024 21:36:06 +0200 Subject: [PATCH 02/19] wip --- .../fstar-bitvec/BitVec.Equality.fst | 11 +- .../fstar-bitvec/BitVec.Equality.fsti | 8 + .../fstar-bitvec/BitVec.Intrinsics.fsti | 148 +++++++++++---- fstar-helpers/fstar-bitvec/Tactics.Utils.fst | 68 ++++++- .../Libcrux_intrinsics.Avx2_extract.fsti | 22 +-- libcrux-intrinsics/src/avx2_extract.rs | 20 ++- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 168 ++++++++++++++++-- libcrux-ml-kem/src/vector/avx2/serialize.rs | 81 +++++---- .../extraction/Libcrux_platform.X86.fsti | 6 - 9 files changed, 409 insertions(+), 123 deletions(-) diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst index afbc5a4fa..5e21832c7 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst +++ b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst @@ -33,7 +33,16 @@ let bv_equality' #n (bv1 bv2: bit_vec n) let bv_equality #n (bv1 bv2: bit_vec n) = bv_equality' bv1 bv2 - + +let bv_equality_elim #n (bv1 bv2: bit_vec n) + : Lemma (requires bv_equality bv1 bv2) + (ensures bv1 == bv2) + = () +let bv_equality_intro #n (bv1 bv2: bit_vec n) + : Lemma (requires bv1 == bv2) + (ensures bv_equality bv1 bv2) + = () + let rewrite n (bv1: bit_vec n) : Lemma (bv_equality #n bv1 bv1 == true) = () diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti index 184202a61..5340903b4 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti +++ b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti @@ -6,4 +6,12 @@ open FStar.Mul open FStar.FunctionalExtensionality val bv_equality #n (bv1 bv2: bit_vec n): bool +val bv_equality_elim #n (bv1 bv2: bit_vec n) + : Lemma (requires bv_equality bv1 bv2) + (ensures bv1 == bv2) +val bv_equality_intro #n (bv1 bv2: bit_vec n) + : Lemma (requires bv1 == bv2) + (ensures bv_equality bv1 bv2) val rewrite n (bv1: bit_vec n): Lemma (bv_equality #n bv1 bv1 == true) + + diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti index a246794d6..1a2043013 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti @@ -3,13 +3,9 @@ module BitVec.Intrinsics open Core open Rust_primitives open FStar.Mul - -(*** BitVec related utils *) -open FStar.FunctionalExtensionality +open BitVec.Utils open BitVec.Equality -open Rust_primitives.BitVectors - -let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f +open Tactics.Utils (*** The intrinsics *) @@ -28,6 +24,46 @@ let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 = mk_bv (fun i -> vec (i + 128)) +let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) + : bit_vec 256 + = mk_bv (fun i -> + let offset = i % 16 in + match i / 16 with + | 0 -> get_bit x15 (sz offset) + | 1 -> get_bit x14 (sz offset) + | 2 -> get_bit x13 (sz offset) + | 3 -> get_bit x12 (sz offset) + | 4 -> get_bit x11 (sz offset) + | 5 -> get_bit x10 (sz offset) + | 6 -> get_bit x9 (sz offset) + | 7 -> get_bit x8 (sz offset) + | 8 -> get_bit x7 (sz offset) + | 9 -> get_bit x6 (sz offset) + | 10 -> get_bit x5 (sz offset) + | 11 -> get_bit x4 (sz offset) + | 12 -> get_bit x3 (sz offset) + | 13 -> get_bit x2 (sz offset) + | 14 -> get_bit x1 (sz offset) + | 15 -> get_bit x0 (sz offset) + ) + +val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 +let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 + = mk_bv (fun i -> if i <= n then 1 else 0) + +let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 + = mk_bv (fun i -> if y i = 0 + then 0 + else x i + ) + +let mm256_set1_epi16 (constant: i16) + (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < `(mm256_set1_epi16_pow2_minus_one (`#x)) + | _ -> (quote (mm256_set1_epi16_no_semantics constant)) + )]result: bit_vec 256) + : bit_vec 256 = result + private let saturate8 (v: bit_vec 16): bit_vec 8 = let on_upper_bits (+) (f: (n:nat{n >= 8 && n <= 15}) -> _) = f 8 + f 9 + f 10 + f 11 + f 12 + f 13 + f 14 + f 15 @@ -60,29 +96,6 @@ let mm_movemask_epi8_bv (a: bit_vec 128): bit_vec 128 let mm_movemask_epi8 (a: bit_vec 128): i32 = bit_vec_to_int_t 32 (mk_bv (fun i -> mm_movemask_epi8_bv a i)) -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let offset = i % 16 in - match i / 16 with - | 0 -> get_bit x15 (sz offset) - | 1 -> get_bit x14 (sz offset) - | 2 -> get_bit x13 (sz offset) - | 3 -> get_bit x12 (sz offset) - | 4 -> get_bit x11 (sz offset) - | 5 -> get_bit x10 (sz offset) - | 6 -> get_bit x9 (sz offset) - | 7 -> get_bit x8 (sz offset) - | 8 -> get_bit x7 (sz offset) - | 9 -> get_bit x6 (sz offset) - | 10 -> get_bit x5 (sz offset) - | 11 -> get_bit x4 (sz offset) - | 12 -> get_bit x3 (sz offset) - | 13 -> get_bit x2 (sz offset) - | 14 -> get_bit x1 (sz offset) - | 15 -> get_bit x0 (sz offset) - ) - let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128 = mk_bv (fun i -> let nth_block = i / 8 in @@ -96,24 +109,85 @@ let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128 // This is a very specialized version of mm256_mullo_epi16 -let specialized_mm256_mullo_epi16 (a: bit_vec 256): bit_vec 256 = +let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 = mk_bv (fun i -> let nth_bit = i % 16 in let nth_i16 = i / 16 in let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in if nth_bit >= shift then a (i - shift) else 0 ) + +// This is a very specialized version of mm256_mullo_epi16 +let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = + mk_bv (fun i -> + let nth_bit = i % 16 in + let nth_i16 = i / 16 in + let shift = if nth_i16 % 2 = 0 then 4 else 0 in + if nth_bit >= shift then a (i - shift) else 0 + ) // This term will be stuck, we don't know anything about it val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256 -let mm256_mullo_epi16 (a count: bit_vec 256): bit_vec 256 = - if count `bv_equality` mm256_set_epi16 (1s < mm256_set_epi16 (1s < unquote x = 1s + | _ -> false + then Tactics.exact (quote (mm256_mullo_epi16_specialized1 a)) + else if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s + | _ -> false + then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a)) + else + Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) + )]result: bit_vec 256): bit_vec 256 = result + +let madd_rhs (n: nat {n < 16}) = + mm256_set_epi16 + (1s < bit_vec 256 -> bit_vec 256 + +let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = + x + +let mm256_madd_epi16 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with + | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n)) + | _ -> quote (mm256_madd_epi16_no_semantic x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result open FStar.Stubs.Tactics.V2.Builtins open FStar.Stubs.Tactics.V2 diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst index 46f9f507f..44e4fbab6 100644 --- a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst +++ b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst @@ -1,12 +1,12 @@ module Tactics.Utils open Core +open FStar.Option module L = FStar.List.Tot open FStar.Tactics.V2 open FStar.Tactics.V2.SyntaxHelpers open FStar.Class.Printable open FStar.Mul -open FStar.Option (*** Let operators *) let (let?#) (x: option 'a) (f: 'a -> Tac (option 'b)): Tac (option 'b) @@ -204,6 +204,56 @@ let rewrite_rhs (): Tac _ = let uvar = fresh_uvar (Some (tc (cur_env ()) rhs)) in tcut (`squash (`#rhs == `#uvar)) +open FStar.Tactics +(*** Unification *) +(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are +unification variables. This returns a list of terms to substitute `x1` +... `xN` with. You probably want `norm_steps` to be `[delta_only +[`%the_name_of_function_fn]]` *) +exception UnifyAppReturn of (option (list term)) +let unify_app (t fn: term) norm_steps: Tac (option (list term)) + = let (* Tactic types are confusing, seems like we need V1 here *) + open FStar.Tactics.V1 in + let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in + try + let _fake_goal = + (* create a goal `b1 -> ... -> bn -> squash True` *) + let trivial = `squash True in + let trivial_comp = pack_comp (C_Total trivial) in + unshelve (fresh_uvar (Some (match bds with | [] -> trivial | _ -> mk_arr bds trivial_comp))) + in + (* get back the binders `b1`, ..., `bn` *) + let bds = intros () in + let args = FStar.Tactics.Util.map (fun (b: binder) -> b <: term) bds in + let norm_term = norm_term (hnf::norm_steps) in + let fn, t = norm_term (mk_e_app fn args), norm_term t in + let fn = `(((`#fn), ())) in + let dummy_var = fresh_namedv_named "dummy_var" in + let t = `(((`#t), (`#dummy_var))) in + let vars = map (fun b -> + let b = inspect_binder b in + let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in + let sort = b.binder_sort in + let nv: namedv_view = {uniq; ppname; sort = seal sort} in + (FStar.Reflection.V2.pack_namedv nv, sort) + ) bds in + let vars = + List.Tot.append + vars + [(FStar.Reflection.V2.pack_namedv dummy_var, `())] + in + let?# substs = fst (try_unify (cur_env ()) vars fn t) in + raise (UnifyAppReturn ( + if List.Tot.length substs <> List.Tot.length bds + 1 + then (print "unify_app: WARNING: inconsistent lengths"; None) + else ( + match substs with + | [] -> None + | _::substs -> Some (List.Tot.rev (map (fun (_, t) -> t) substs)) + ))) + with | UnifyAppReturn result -> result + | e -> raise e + (*** Logging and time *) let time_tactic_ms (t: 'a -> Tac 'b) (x: 'a): Tac ('b & int) = let time0 = curms () in @@ -246,14 +296,14 @@ let focus_first_forall_goal (t : unit -> Tac unit) : Tac unit = /// Proves `forall (i:nat{i < bound})` for `bound` being a concrete int let rec prove_forall_nat_pointwise (tactic: unit -> Tac unit): Tac unit - = let _ = - (* hacky way of printing the progress *) - let goal = term_to_string (cur_goal ()) in - let goal = match String.split ['\n'] goal with - | s::_ -> s | _ -> "" in - print ("prove_forall_pointwise: " ^ goal ^ "...") - in - focus_first_forall_goal (fun _ -> + = focus_first_forall_goal (fun _ -> + let _ = + (* hacky way of printing the progress *) + let goal = term_to_string (cur_goal ()) in + let goal = match String.split ['\n'] goal with + | s::_ -> s | _ -> "" in + print ("prove_forall_pointwise: " ^ goal ^ "...") + in apply_lemma (`_split_forall_nat); trivial `or_else` (fun _ -> if try norm [primops]; diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 8d68fd457..2d6e7c8ec 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -13,7 +13,8 @@ val mm256_add_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_and_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} +// val mm256_and_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -23,14 +24,14 @@ val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) val mm256_castsi128_si256 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm256_castsi256_si128 = BitVec.Intrinsics.mm256_castsi256_si128 +include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128} val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_cvtepi16_epi32 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm256_extracti128_si256 = BitVec.Intrinsics.mm256_extracti128_si256 +include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256} val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -47,7 +48,7 @@ val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun val mm256_mulhi_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm256_mullo_epi16 = BitVec.Intrinsics.mm256_mullo_epi16 +include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16} val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -62,13 +63,14 @@ val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) val mm256_permutevar8x32_epi32 (vector control: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi16 (constant: i16) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} +// val mm256_set1_epi16 (constant: i16) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm256_set_epi16 = BitVec.Intrinsics.mm256_set_epi16 +include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -86,7 +88,7 @@ val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) val mm256_shuffle_epi8 (vector control: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm256_slli_epi16 = BitVec.Intrinsics.mm256_slli_epi16 +include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -103,7 +105,7 @@ val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm256_srli_epi16 = BitVec.Intrinsics.mm256_srli_epi16 +include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -136,13 +138,13 @@ val mm_add_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ - val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm_movemask_epi8 = BitVec.Intrinsics.mm_movemask_epi8 +include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} val mm_mulhi_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) val mm_mullo_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) -unfold let mm_packs_epi16 = BitVec.Intrinsics.mm_packs_epi16 +include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} val mm_set1_epi16 (constant: i16) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index 6215c7de7..365dd8137 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -122,13 +122,17 @@ pub fn mm256_set_epi8( unimplemented!() } +#[hax_lib::fstar::replace( + interface, + "include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}}" +)] pub fn mm256_set1_epi16(constant: i16) -> Vec256 { unimplemented!() } #[hax_lib::fstar::replace( interface, - "unfold let ${mm256_set_epi16} = BitVec.Intrinsics.mm256_set_epi16" + "include BitVec.Intrinsics {mm256_set_epi16 as ${mm256_set_epi16}}" )] pub fn mm256_set_epi16( input15: i16, @@ -193,7 +197,7 @@ pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { #[hax_lib::fstar::replace( interface, - "unfold let ${mm256_mullo_epi16} = BitVec.Intrinsics.mm256_mullo_epi16" + "include BitVec.Intrinsics {mm256_mullo_epi16 as ${mm256_mullo_epi16}}" )] pub fn mm256_mullo_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -242,7 +246,7 @@ pub fn mm256_srai_epi32(vector: Vec256) -> Vec256 { #[hax_lib::fstar::replace( interface, - "unfold let ${mm256_srli_epi16::<0>} = BitVec.Intrinsics.mm256_srli_epi16" + "include BitVec.Intrinsics {mm256_srli_epi16 as ${mm256_srli_epi16::<0>}}" )] pub fn mm256_srli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); @@ -260,7 +264,7 @@ pub fn mm256_srli_epi64(vector: Vec256) -> Vec256 { #[hax_lib::fstar::replace( interface, - "unfold let ${mm256_slli_epi16::<0>} = BitVec.Intrinsics.mm256_slli_epi16" + "include BitVec.Intrinsics {mm256_slli_epi16 as ${mm256_slli_epi16::<0>}}" )] pub fn mm256_slli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); @@ -302,7 +306,7 @@ pub fn mm256_unpackhi_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { #[hax_lib::fstar::replace( interface, - "unfold let ${mm256_castsi256_si128} = BitVec.Intrinsics.mm256_castsi256_si128" + "include BitVec.Intrinsics {mm256_castsi256_si128 as ${mm256_castsi256_si128}}" )] pub fn mm256_castsi256_si128(vector: Vec256) -> Vec128 { unimplemented!() @@ -317,7 +321,7 @@ pub fn mm256_cvtepi16_epi32(vector: Vec128) -> Vec256 { #[hax_lib::fstar::replace( interface, - "unfold let ${mm_packs_epi16} = BitVec.Intrinsics.mm_packs_epi16" + "include BitVec.Intrinsics {mm_packs_epi16 as ${mm_packs_epi16}}" )] pub fn mm_packs_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() @@ -328,7 +332,7 @@ pub fn mm256_packs_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { #[hax_lib::fstar::replace( interface, - "unfold let ${mm256_extracti128_si256::<0>} = BitVec.Intrinsics.mm256_extracti128_si256" + "include BitVec.Intrinsics {mm256_extracti128_si256 as ${mm256_extracti128_si256::<0>}}" )] pub fn mm256_extracti128_si256(vector: Vec256) -> Vec128 { debug_assert!(CONTROL == 0 || CONTROL == 1); @@ -347,7 +351,7 @@ pub fn mm256_blend_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 #[hax_lib::fstar::replace( interface, - "unfold let ${mm_movemask_epi8} = BitVec.Intrinsics.mm_movemask_epi8" + "include BitVec.Intrinsics {mm_movemask_epi8 as ${mm_movemask_epi8}}" )] pub fn mm_movemask_epi8(vector: Vec128) -> i32 { unimplemented!() diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index f10ac8ca3..9d394b3da 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -9,7 +9,30 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -let deserialize_1_ (bytes: t_Slice u8) = +open FStar.Tactics + +open Tactics.Utils + +let rw_get_bit_cast #t #u + (x: int_t t) (nth: usize) + : Lemma (requires v nth < bits u /\ v nth < bits u) + (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) + [SMTPat (get_bit (cast_mod #t #u x) nth)] + = () + +let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) + : Lemma (requires v y >= 0 /\ v y < bits t) + (ensures eq2 #bit (get_bit (x >>! y) i ) + (if v i < bits t - v y + then get_bit x (mk_int (v i + v y)) + else if signed t + then get_bit x (mk_int (bits t - 1)) + else 0)) + = () + +#push-options "--compat_pre_core 2" +// [@@Tactics.postprocess_with (fun _ -> norm [delta_only [`%Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16]]; fail "x")] +let deserialize_1_ (bytes: t_Slice u8 {Seq.length bytes == 2}) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) @@ -28,9 +51,50 @@ let deserialize_1_ (bytes: t_Slice u8) = (1s < + light_norm (); + // norm index rewrites `Seq.index (Seq.seq_of_list ...) N` or + // `List.Tot.index ... N` when we have list literals + Tactics.Seq.norm_index (); + // Reduce more aggressively + norm [iota; primops; zeta_full; + delta_namespace [ + "FStar"; + "BitVec"; + ]; unascribe + ]; + // Rewrite and normalize machine integers, hopefully in ints + Tactics.MachineInts.(transform norm_machine_int_term); + // norm: primops to get rid of >=, <=, +, *, -, etc. + // zeta delta iota: normalize bitvectors + norm [iota; primops; zeta; delta]; + dump' "Goal:"; + // ask the smt to solve now + smt_sync () + )) + ); + result let deserialize_10_ (bytes: t_Slice u8) = let shift_lsbs_to_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -149,6 +213,7 @@ let deserialize_12_ (bytes: t_Slice u8) = Libcrux_intrinsics.Avx2_extract.t_Vec256) let deserialize_4_ (bytes: t_Slice u8) = + assume (Seq.length bytes == 8); let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 7 ] <: u8) <: i16) (cast (bytes.[ sz 7 ] <: u8) <: i16) (cast (bytes.[ sz 6 ] <: u8) <: i16) @@ -160,22 +225,53 @@ let deserialize_4_ (bytes: t_Slice u8) = (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) in - let shift_lsbs_to_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + light_norm (); + Tactics.Seq.norm_index (); + norm [iota; primops; zeta_full; + delta_namespace [ + "FStar"; + "BitVec"; + ]; unascribe + ]; + Tactics.MachineInts.(transform norm_machine_int_term); + norm [iota; primops; zeta_full; + delta_namespace [ + "FStar"; + "BitVec"; + ]; unascribe + ]; + dump' "Goal:"; + smt_sync () + )) + ); + result let deserialize_5_ (bytes: t_Slice u8) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = @@ -210,6 +306,9 @@ let deserialize_5_ (bytes: t_Slice u8) = in Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients +open Tactics.Utils + + let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector @@ -226,7 +325,50 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list + let result: t_Array u8 (sz 2) = Rust_primitives.Hax.array_of_list 2 list in + let bv = bit_vec_of_int_t_array result 8 in + assert (forall (i: nat {i < 16}). bv i == vector (i * 16)) by ( + Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + let light_norm () = + // get rid of indirections (array_of_list, funext, casts, etc.) + norm [ iota; primops + ; delta_only [ + `%cast; `%cast_tc_integers + ; `%bit_vec_of_int_t_array + ; `%Rust_primitives.Hax.array_of_list + ; `%FunctionalExtensionality.on + ; `%bits;`%Lib.IntTypes.bits + ] + ] in + light_norm (); + // normalize List.index / Seq.index when we have literals + Tactics.Seq.norm_index (); + // here, we need to take care of (1) the cast and (2) the shift + // (introduced in `list`) and (3) bv<->i16 indirection + // introduced by `bit_vec_to_int_t`. Thus, we repeat the tactic + // three times. It's basically the same thing. + let _ = repeatn 3 (fun _ -> + // Try to rewrite any subterm using the following three lemmas (corresponding to (1) (3) and (2)) + l_to_r[`rw_get_bit_cast; `bit_vec_to_int_t_lemma; `rw_get_bit_shr]; + // get rid of useless indirections + light_norm (); + // after using those lemmas, more mk_int and v appears, let's get rid of those + Tactics.MachineInts.(transform norm_machine_int_term); + // Special treatment for case (3) + norm [primops; iota; zeta_full; delta_only [ + `%BitVec.Intrinsics.mm_movemask_epi8; + ]] + ) in + // Now we normalize away all the FunExt / mk_bv terms + norm [primops; iota; zeta_full; delta_namespace ["BitVec"; "FStar"]]; + // Ask the SMT to solve now + // dump' "Goal:"; + smt_sync (); + // dump' "Success"; + smt () + )) + ); + result let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 69da39197..9d389017a 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -87,25 +87,27 @@ pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { // And this vector, when multiplied with the previous one, ensures that the // bit we'd like to keep in each lane becomes the most significant bit upon // multiplication. - let shift_lsb_to_msb = mm256_set_epi16( - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, + let coefficients_in_msb = mm256_mullo_epi16( + coefficients, + mm256_set_epi16( + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + ), ); - let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsb_to_msb); // Now that they're all in the most significant bit position, shift them // down to the least significant bit. @@ -208,29 +210,30 @@ pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { bytes[0] as i16, ); - let shift_lsbs_to_msbs = mm256_set_epi16( - // These constants are chosen to shift the bits of the values - // that we loaded into |coefficients|. - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, + let coefficients_in_msb = mm256_mullo_epi16( + coefficients, + mm256_set_epi16( + // These constants are chosen to shift the bits of the values + // that we loaded into |coefficients|. + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ), ); - let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); - // Once the 4-bit coefficients are in the most significant positions (of // an 8-bit value), shift them all down by 4. let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index 35516c01f..0b77def1e 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -41,11 +41,5 @@ val t_Feature_cast_to_repr (x: t_Feature) : Prims.Pure isize Prims.l_True (fun _ /// Initialize CPU detection. val init: Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) -val init__cpuid (leaf: u32) - : Prims.Pure Core.Core_arch.X86.Cpuid.t_CpuidResult Prims.l_True (fun _ -> Prims.l_True) - -val init__cpuid_count (leaf sub_leaf: u32) - : Prims.Pure Core.Core_arch.X86.Cpuid.t_CpuidResult Prims.l_True (fun _ -> Prims.l_True) - /// Check hardware [`Feature`] support. val supported (feature: t_Feature) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) From 574a60b5afd515ef8ac7249727b85d8f396cb8a2 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Tue, 3 Sep 2024 21:45:19 +0200 Subject: [PATCH 03/19] feat: tactic: do nothing if smt queries are admitted --- fstar-helpers/fstar-bitvec/Tactics.GetBit.fst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst index e79d70661..5e6b563ba 100644 --- a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst +++ b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst @@ -39,7 +39,7 @@ let compute_one_round (): Tac _ = let compute': unit -> Tac unit = goal_fixpoint compute_one_round /// Proves a goal of the shape `forall (i:nat{i < N}). get_bit ... i == get_bit ... i` (`N` is expected to be a literal) -let prove_bit_vector_equality' (): Tac unit = +let prove_bit_vector_equality'' (): Tac unit = norm [ iota; primops; @@ -58,6 +58,10 @@ let prove_bit_vector_equality' (): Tac unit = print ("Ask SMT: " ^ term_to_string (cur_goal ())); focus smt_sync )) +let prove_bit_vector_equality' (): Tac unit = + if lax_on () + then iterAll tadmit + else prove_bit_vector_equality'' () let prove_bit_vector_equality (): Tac unit = set_rlimit 100; with_compat_pre_core 0 prove_bit_vector_equality' From c44ad6b1db43b97d621bfd70cedc01d4982f7e41 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Mon, 16 Sep 2024 17:02:05 +0200 Subject: [PATCH 04/19] wip: more intrinsics --- .../fstar-bitvec/BitVec.Intrinsics.fsti | 104 ++++++++++++++---- fstar-helpers/fstar-bitvec/Tactics.Utils.fst | 2 +- .../Libcrux_intrinsics.Avx2_extract.fsti | 2 +- libcrux-intrinsics/src/avx2_extract.rs | 4 + .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 2 + 5 files changed, 93 insertions(+), 21 deletions(-) diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti index 1a2043013..c12348e75 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti @@ -27,24 +27,28 @@ let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bi let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) : bit_vec 256 = mk_bv (fun i -> - let offset = i % 16 in + let h (x: i16) = get_bit x (sz (i % 16)) in match i / 16 with - | 0 -> get_bit x15 (sz offset) - | 1 -> get_bit x14 (sz offset) - | 2 -> get_bit x13 (sz offset) - | 3 -> get_bit x12 (sz offset) - | 4 -> get_bit x11 (sz offset) - | 5 -> get_bit x10 (sz offset) - | 6 -> get_bit x9 (sz offset) - | 7 -> get_bit x8 (sz offset) - | 8 -> get_bit x7 (sz offset) - | 9 -> get_bit x6 (sz offset) - | 10 -> get_bit x5 (sz offset) - | 11 -> get_bit x4 (sz offset) - | 12 -> get_bit x3 (sz offset) - | 13 -> get_bit x2 (sz offset) - | 14 -> get_bit x1 (sz offset) - | 15 -> get_bit x0 (sz offset) + | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 + | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 + | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 + | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 + ) + +let mm256_set_epi8 + (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8) + : bit_vec 256 + = mk_bv (fun i -> + let h (x: i8) = get_bit x (sz (i % 8)) in + match i / 8 with + | 0 -> h x31 | 1 -> h x30 | 2 -> h x29 | 3 -> h x28 + | 4 -> h x27 | 5 -> h x26 | 6 -> h x25 | 7 -> h x24 + | 8 -> h x23 | 9 -> h x22 | 10 -> h x21 | 11 -> h x20 + | 12 -> h x19 | 13 -> h x18 | 14 -> h x17 | 15 -> h x16 + | 16 -> h x15 | 17 -> h x14 | 18 -> h x13 | 19 -> h x12 + | 20 -> h x11 | 21 -> h x10 | 22 -> h x9 | 23 -> h x8 + | 24 -> h x7 | 25 -> h x6 | 26 -> h x5 | 27 -> h x4 + | 28 -> h x3 | 29 -> h x2 | 30 -> h x1 | 31 -> h x0 ) val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 @@ -175,8 +179,70 @@ let madd_rhs (n: nat {n < 16}) = val mm256_madd_epi16_no_semantic: bit_vec 256 -> bit_vec 256 -> bit_vec 256 +let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool) + : r:bool {r <==> (forall i. f i)} + = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = + n = 0 || f (n - 1) && h (n - 1) + in h max + +let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = + mk_bv (fun i -> let local_i = i % 32 in + if local_i > 8 then 0 + else if i >= 4 then x (i - 4) + else x (i + 16)) + let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = - x + if forall_bool (fun (i: nat {i < 256}) -> i % 16 < 4 || x i = 0) + then mm256_madd_epi16_no_semantic x (madd_rhs n) + else mm256_madd_epi16_specialized' x n + +let mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 = + mk_bv (fun i -> + 0 + ) + +let mm256_shuffle_epi8_i8 a (b: list _ {List.Tot.length b == 32}): bit_vec 256 = + mk_bv (fun i -> + let nth = i / 8 in + let index = List.Tot.index b nth in + if index < 0 + then 0 + else + let index = index % 16 in + a (index + i % 8) + ) + +let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) + : (l:list a {List.Tot.length l == 32}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in + assert_norm (List.Tot.length l == 32); + l + +let mm256_shuffle_epi8 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31 -> + mm256_set_epi8 + (Int8.int_to_t x0 ) (Int8.int_to_t x1 ) (Int8.int_to_t x2 ) (Int8.int_to_t x3 ) (Int8.int_to_t x4 ) (Int8.int_to_t x5 ) (Int8.int_to_t x6 ) (Int8.int_to_t x7 ) + (Int8.int_to_t x8 ) (Int8.int_to_t x9 ) (Int8.int_to_t x10) (Int8.int_to_t x11) (Int8.int_to_t x12) (Int8.int_to_t x13) (Int8.int_to_t x14) (Int8.int_to_t x15) + (Int8.int_to_t x16) (Int8.int_to_t x17) (Int8.int_to_t x18) (Int8.int_to_t x19) (Int8.int_to_t x20) (Int8.int_to_t x21) (Int8.int_to_t x22) (Int8.int_to_t x23) + (Int8.int_to_t x24) (Int8.int_to_t x25) (Int8.int_to_t x26) (Int8.int_to_t x27) (Int8.int_to_t x28) (Int8.int_to_t x29) (Int8.int_to_t x30) (Int8.int_to_t x31))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] -> + `(mm256_shuffle_epi8_i8 (`@x) + (mk_list_32 + (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) + (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15) + (`#x16) (`#x17) (`#x18) (`#x19) (`#x20) (`#x21) (`#x22) (`#x23) + (`#x24) (`#x25) (`#x26) (`#x27) (`#x28) (`#x29) (`#x30) (`#x31))) + | _ -> quote (mm256_shuffle_epi8_no_semantics x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + +let asdsad x = + mm256_shuffle_epi8 x (mm256_set_epi8 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y) let mm256_madd_epi16 (x y: bit_vec 256) @@ -186,7 +252,7 @@ let mm256_madd_epi16 | _ -> quote (mm256_madd_epi16_no_semantic x y) in exact t )]result: bit_vec 256) - : bit_vec 256 + : bit_vec 256 = result open FStar.Stubs.Tactics.V2.Builtins diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst index 44e4fbab6..18030a682 100644 --- a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst +++ b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst @@ -245,7 +245,7 @@ let unify_app (t fn: term) norm_steps: Tac (option (list term)) let?# substs = fst (try_unify (cur_env ()) vars fn t) in raise (UnifyAppReturn ( if List.Tot.length substs <> List.Tot.length bds + 1 - then (print "unify_app: WARNING: inconsistent lengths"; None) + then (print ("unify_app: WARNING: inconsistent lengths: " ^ string_of_int (List.Tot.length substs) ^ " - 1 VS " ^ string_of_int (List.Tot.length bds + 1)); None) else ( match substs with | [] -> None diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 2d6e7c8ec..94916f178 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -42,7 +42,7 @@ val mm256_loadu_si256_i16 (input: t_Slice i16) val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_madd_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16} val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index 365dd8137..d654ae571 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -181,6 +181,10 @@ pub fn mm_add_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { pub fn mm256_add_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } +#[hax_lib::fstar::replace( + interface, + "include BitVec.Intrinsics {mm256_madd_epi16 as ${mm256_madd_epi16}}" +)] pub fn mm256_madd_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 9d394b3da..104ef8384 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -2,6 +2,7 @@ module Libcrux_ml_kem.Vector.Avx2.Serialize #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul +#push-options "--ext context_pruning" let _ = (* This module has implicit dependencies, here we make them explicit. *) @@ -370,6 +371,7 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = ); result + let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = From 774431cd06edafed3c95a8953af7a87bdf042521 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Wed, 18 Sep 2024 11:50:12 +0200 Subject: [PATCH 05/19] fstar: avx2: serialize_4 basically works --- .../fstar-bitvec/BitVec.Intrinsics.fsti | 99 ++++++++++++------- fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 21 ++++ .../Libcrux_intrinsics.Avx2_extract.fsti | 14 +-- libcrux-intrinsics/src/avx2_extract.rs | 4 + .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 89 ++++++++++++++++- 5 files changed, 182 insertions(+), 45 deletions(-) create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Utils.fst diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti index c12348e75..07ddb8f04 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti @@ -24,6 +24,14 @@ let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 = mk_bv (fun i -> vec (i + 128)) +let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32) + : bit_vec 256 + = mk_bv (fun i -> + let h (x: i32) = get_bit x (sz (i % 32)) in + match i / 32 with + | 0 -> h x7 | 1 -> h x6 | 2 -> h x5 | 3 -> h x4 + | 4 -> h x3 | 5 -> h x2 | 6 -> h x1 | 7 -> h x0) + let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) : bit_vec 256 = mk_bv (fun i -> @@ -56,10 +64,7 @@ let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 = mk_bv (fun i -> if i <= n then 1 else 0) let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> if y i = 0 - then 0 - else x i - ) + = mk_bv (fun i -> if y i = 0 then 0 else x i) let mm256_set1_epi16 (constant: i16) (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < bit_vec 256 -> bit_vec 256 let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool) : r:bool {r <==> (forall i. f i)} = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = - n = 0 || f (n - 1) && h (n - 1) + match n with + | 0 -> true + | _ -> f (n - 1) && h (n - 1) in h max +/// We view `x` as a sequence of pairs of 16 bits, of the shape +/// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. +/// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = - mk_bv (fun i -> let local_i = i % 32 in - if local_i > 8 then 0 - else if i >= 4 then x (i - 4) - else x (i + 16)) + mk_bv (fun i -> let j = i % 32 in + // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` + // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` + let is_zero = + // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` + j >= n * 2 + in + if is_zero + then 0 + else if j < n + then x i // we want to produce the bit `aⱼ` + else + // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` + x (i - n + 16) + ) let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = - if forall_bool (fun (i: nat {i < 256}) -> i % 16 < 4 || x i = 0) - then mm256_madd_epi16_no_semantic x (madd_rhs n) - else mm256_madd_epi16_specialized' x n + if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0) + then mm256_madd_epi16_specialized' x n + else mm256_madd_epi16_no_semantic x (madd_rhs n) -let mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - 0 - ) - -let mm256_shuffle_epi8_i8 a (b: list _ {List.Tot.length b == 32}): bit_vec 256 = +val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 +let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 = mk_bv (fun i -> let nth = i / 8 in - let index = List.Tot.index b nth in - if index < 0 - then 0 - else - let index = index % 16 in - a (index + i % 8) - ) - -let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) - : (l:list a {List.Tot.length l == 32}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in - assert_norm (List.Tot.length l == 32); - l + let index = List.Tot.index b (31 - nth) in + if index < 0 then 0 + else let index = index % 16 in + a (index * 8 + i % 8 + i / 128 * 128)) let mm256_shuffle_epi8 (x y: bit_vec 256) @@ -241,11 +249,32 @@ let mm256_shuffle_epi8 : bit_vec 256 = result -let asdsad x = - mm256_shuffle_epi8 x (mm256_set_epi8 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y 1y) +val mm256_permutevar8x32_epi32_no_semantics (a b: bit_vec 256): bit_vec 256 +let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = + mk_bv (fun i -> + let j = i / 32 in + let index = (List.Tot.index b (7 - j) % 8) * 32 in + a (index + i % 32)) -let mm256_madd_epi16 +let mm256_permutevar8x32_epi32 (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> + mm256_set_epi32 + (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) + (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> + `(mm256_permutevar8x32_epi32_i32 (`@x) + (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) + | _ -> quote (mm256_permutevar8x32_epi32_no_semantics x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + +let mm256_madd_epi16 + (x y: bit_vec 256) (#[( let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n)) @@ -255,6 +284,8 @@ let mm256_madd_epi16 : bit_vec 256 = result +val mm_storeu_bytes_si128 (_output vec: bit_vec 128): t_Slice u8 + open FStar.Stubs.Tactics.V2.Builtins open FStar.Stubs.Tactics.V2 open FStar.Tactics.V2.Derived diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst new file mode 100644 index 000000000..8cedb60aa --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst @@ -0,0 +1,21 @@ +module BitVec.Utils + +open Core +open FStar.FunctionalExtensionality +open BitVec.Equality +open Rust_primitives.BitVectors + +let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f + +let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) + : (l:list a {List.Tot.length l == 32}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in + assert_norm (List.Tot.length l == 32); + l + +let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) + : (l:list a {List.Tot.length l == 8}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in + assert_norm (List.Tot.length l == 8); + l + diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 94916f178..828f0006f 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -60,8 +60,7 @@ val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permutevar8x32_epi32 (vector control: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_permutevar8x32_epi32} include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} // val mm256_set1_epi16 (constant: i16) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -72,21 +71,16 @@ val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prim include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} -val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_set_epi32} -val mm256_set_epi8 - (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: - i8) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_set_epi8} val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_shuffle_epi8 (vector control: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_shuffle_epi8} include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index d654ae571..c370ac59b 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -40,6 +40,10 @@ pub fn mm_storeu_si128(output: &mut [i16], vector: Vec128) { unimplemented!() } +#[hax_lib::fstar::replace( + interface, + "include BitVec.Intrinsics {mm_storeu_bytes_si128 as ${mm_storeu_bytes_si128}}" +)] pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { debug_assert_eq!(output.len(), 16); unimplemented!() diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 104ef8384..d952d213b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -371,7 +371,6 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = ); result - let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -615,6 +614,94 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) +let dummy_lemma n f: Lemma (BitVec.Intrinsics.forall_bool #n f == true) = admit () + +let suppose_false (scrut: bool) (arm_true arm_false: bit) + : Lemma + (requires not scrut) + (ensures (match scrut with true -> arm_true | false -> arm_false) == arm_false) + = () + +#push-options "--print_implicits" +let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); + assert (forall (i: nat {i < 64}). + // let local_i = i / 4 in + combined i == vector ((i / 4) * 16 + i % 4) + ) by ( + // unfold wrappers + norm [primops; iota; zeta; delta_namespace [ + `%BitVec.Intrinsics.mm256_shuffle_epi8; + `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; + `%BitVec.Intrinsics.mm256_madd_epi16; + `%BitVec.Intrinsics.mm256_castsi256_si128; + "BitVec.Utils"; + ]]; + Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + let reduce t = + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.FunctionalExtensionality"; + t; + `%BitVec.Utils.mk_bv; + `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]]; + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]] + in + reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); + reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); + grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); + flip (); smt (); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); + trivial () + )) + ); + combined + // let serialized:t_Array u8 (sz 16) = + // Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined + // in + // Core.Result.impl__unwrap #(t_Array u8 (sz 8)) + // #Core.Array.t_TryFromSliceError + // (Core.Convert.f_try_into #(t_Slice u8) + // #(t_Array u8 (sz 8)) + // #FStar.Tactics.Typeclasses.solve + // (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + // <: + // Core.Ops.Range.t_Range usize ] + // <: + // t_Slice u8) + // <: + // Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) + + let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = From 645c2294f7f1d68c82cf184aa599d99714a15c71 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 08:50:57 +0200 Subject: [PATCH 06/19] wip --- .../BitVec.Intrinsics.Constants.fst | 264 ++ .../BitVec.Intrinsics.TestShuffle.fst | 203 ++ fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 16 + fstar-helpers/fstar-bitvec/dep.graph | 2316 +++++++++++++++++ .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 47 +- libcrux-ml-kem/src/vector/avx2/serialize.rs | 184 +- .../fstar/extraction/Libcrux_platform.X86.fst | 69 + 7 files changed, 3066 insertions(+), 33 deletions(-) create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst create mode 100644 fstar-helpers/fstar-bitvec/dep.graph create mode 100644 sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst new file mode 100644 index 000000000..9d2614842 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst @@ -0,0 +1,264 @@ +module BitVec.Intrinsics.Constants + +open Core +open Rust_primitives +open FStar.Mul +open FStar.FunctionalExtensionality +open BitVec.Utils +open BitVec.Equality + +let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) + : bit_vec 256 + = mk_bv (fun i -> + let offset = i % 16 in + match i / 16 with + | 0 -> get_bit x15 (sz offset) + | 1 -> get_bit x14 (sz offset) + | 2 -> get_bit x13 (sz offset) + | 3 -> get_bit x12 (sz offset) + | 4 -> get_bit x11 (sz offset) + | 5 -> get_bit x10 (sz offset) + | 6 -> get_bit x9 (sz offset) + | 7 -> get_bit x8 (sz offset) + | 8 -> get_bit x7 (sz offset) + | 9 -> get_bit x6 (sz offset) + | 10 -> get_bit x5 (sz offset) + | 11 -> get_bit x4 (sz offset) + | 12 -> get_bit x3 (sz offset) + | 13 -> get_bit x2 (sz offset) + | 14 -> get_bit x1 (sz offset) + | 15 -> get_bit x0 (sz offset) + ) + +let madd_rhs (n: nat {n < 16}) = + mm256_set_epi16 + (1s < bit_vec 256 = admit () + +open Tactics.Utils + +open FStar.Tactics + +(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are +unification variables. This returns a list of terms to substitute `x1` +... `xN` with. *) +let unify_app (t fn: term) norm_steps: Tac (option (list term)) + = let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in + let _fake_goal = + (* create a goal `b1 -> ... -> bn -> squash True` *) + let trivial = pack_comp (C_Total (`squash True)) in + unshelve (fresh_uvar (Some (mk_arr bds trivial))) + in + (* get back the binders `b1`, ..., `bn` *) + let bds = intros () in + let args = map (fun (b: binder) -> b <: term) bds in + let norm_term = norm_term (hnf::norm_steps) in + let fn, t = norm_term (mk_e_app fn args), norm_term t in + let vars = map (fun b -> + let b = inspect_binder b in + let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in + let nv: namedv_view = {uniq; ppname; sort = seal (`_)} in + (FStar.Reflection.V2.pack_namedv nv, b.binder_sort) + ) bds in + let?# substs = fst (try_unify (cur_env ()) vars fn t) in + if List.Tot.length substs <> List.Tot.length bds + then fail "unify_app: inconsistent lengths"; + (* solve the trivial goal introduced at the begining *) + trivial (); + Some (List.Tot.rev (map (fun (_, t) -> t) substs)) + +irreducible let add (x y: int): int = x + y + +let f (a b c d: int): int = add (add (add a b) c) d + +// #push-options "--print_full_names --print_implicits --print_bound_var_types" +let _ = assert true by ( + let r = + unify_app + (quote (f 1 2 3 4)) + (quote f) + [delta_only [`%f]] + in + let s = term_to_string (quote r) + in + print s + ) + +let test x y (#[( + let n = fresh_namedv () in + let y = quote y in + let y' = `(madd_rhs (`#n)) in + let n = FStar.Reflection.V2.pack_namedv n in + let t = match try_unify (cur_env ()) [(n,`(n: nat {n < 16}))] y y' with + | (Some [v, t'], _) -> + `(stupid (`#t')) + | _ -> `(stupid (`#y)) in + exact t +)]f: bit_vec 256 -> bit_vec 256) = f x + +let xx = fun x -> test x (madd_rhs 12) + +irreducible let vec256_to_i16s (bv: bit_vec 256) + : (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + = admit () + +irreducible let rw_vec256_to_i16_ints + (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) + : Lemma ( + vec256_to_i16s (mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15) + == ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) + ) = admit () + +let madd_rhs (n: nat {n < 16}) = + mm256_set_epi16 + (1s <= 1 + && v x0 = v x2 && v x0 = v x4 && v x0 = v x6 && v x0 = v x8 + && v x0 = v x10 && v x0 = v x12 && v x0 = v x14 + && v x1 = 1 && v x3 = 1 && v x5 = 1 && v x7 = 1 + && v x9 = 1 && v x11= 1 && v x13= 1 && v x15= 1 + then match Tactics.Pow2.log2 (v x0 <: nat) with + | Some coef -> + if coef < 16 + then ( + assert (v ((1s < None + else None +#pop-options + +open FStar.Tactics.V2 +[@@FStar.Tactics.V2.postprocess_with (fun _ -> + compute (); + Tactics.Seq.norm_index (); + compute (); + fail "x" +)] +let aa = + let n = 12 in + let tuple = ( + ( (1s < n | None -> 0 in + x + +open Tactics.Utils +open FStar.Tactics.V2 +module Visit = FStar.Tactics.Visit + +let rec any (f: 'a -> bool) (l: list 'a): bool + = match l with + | [] -> false + | hd::tl -> if f hd + then true + else any f tl + +exception FoundFreeLocalVar +let is_closed_term (x: term): Tac bool + = try + let _ = FStar.Tactics.Visit.visit_tm ( + function + | Tv_Var _ | Tv_BVar _ -> raise FoundFreeLocalVar + | x -> x + ) x + in true + with | FoundFreeLocalVar -> false + | e -> raise e + +let rw_mm256_set_epi16 t = + let?# (f, [arg,_]) = expect_app_n t 1 in + let?# _ = expect_free_var f (`%vec256_to_i16_ints) in + let?? _ = is_closed_term arg in + let?# (f, args) = expect_app_n arg 16 in + let?# _ = expect_free_var f (`%mm256_set_epi16) in + pointwise' (fun _ -> + let _ = let?# (lhs, _, _) = expect_lhs_eq_rhs () in + Some (if any (fun (arg, _) -> term_eq lhs arg) args + then norm [primops; iota; delta; zeta_full] + else ()) + in trefl () + ); + Some () + +let rec expect_madd_rhs' (bv: bit_vec 256) (n:nat {n < 16}) + : result: option (n: nat {n < 16}) { match result with + | Some n -> bv == madd_rhs n + | _ -> True + } + = if bv_equality bv (madd_rhs n) + then ( bv_equality_elim bv (madd_rhs n); + Some n ) + else if n = 0 then None + else expect_madd_rhs' bv (n - 1) + +irreducible let expect_madd_rhs (bv: bit_vec 256): option (n: nat {n < 16}) + = expect_madd_rhs' bv 15 + +// let rewrite_expect_madd_rhs +// (bv: bit_vec 256) (n: nat {n < 16}) +// : Lemma (requires bv == madd_rhs n) +// (ensures ) +// = () + diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst new file mode 100644 index 000000000..0c60d6587 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst @@ -0,0 +1,203 @@ +module BitVec.Intrinsics.TestShuffle + +open Rust_primitives +open FStar.Mul +open BitVec.Utils +open BitVec.Intrinsics + +assume val stuck: #a:Type -> #b:Type -> a -> b + +let index64 l (i: nat {i < List.Tot.length l}) = + match l with + | [x0;x1;x2;x3] -> + (match i with + | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3) + | [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31;x32;x33;x34;x35;x36;x37;x38;x39;x40;x41;x42;x43;x44;x45;x46;x47;x48;x49;x50;x51;x52;x53;x54;x55;x56;x57;x58;x59;x60;x61;x62;x63] -> + (match i with + | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3 | 4 -> x4 | 5 -> x5 | 6 -> x6 | 7 -> x7 | 8 -> x8 | 9 -> x9 | 10 -> x10 | 11 -> x11 | 12 -> x12 | 13 -> x13 | 14 -> x14 | 15 -> x15 + | 16 -> x16 | 17 -> x17 | 18 -> x18 | 19 -> x19 | 20 -> x20 | 21 -> x21 | 22 -> x22 | 23 -> x23 | 24 -> x24 | 25 -> x25 | 26 -> x26 | 27 -> x27 | 28 -> x28 | 29 -> x29 | 30 -> x30 | 31 -> x31 + | 32 -> x32 | 33 -> x33 | 34 -> x34 | 35 -> x35 | 36 -> x36 | 37 -> x37 | 38 -> x38 | 39 -> x39 | 40 -> x40 | 41 -> x41 | 42 -> x42 | 43 -> x43 | 44 -> x44 | 45 -> x45 | 46 -> x46 | 47 -> x47 + | 48 -> x48 | 49 -> x49 | 50 -> x50 | 51 -> x51 | 52 -> x52 | 53 -> x53 | 54 -> x54 | 55 -> x55 | 56 -> x56 | 57 -> x57 | 58 -> x58 | 59 -> x59 | 60 -> x60 | 61 -> x61 | 62 -> x62 | 63 -> x63) + | _ -> stuck "index" + +assume val nth: list bit -> nat -> bit + +let bv_of_list_list (n: pos) (l: list (l: list bit {List.Tot.length l == n})): bit_vec (List.Tot.length l * n) + = mk_bv (fun i -> nth (index64 l (i / n)) (i % n)) + +let z: l: list bit {List.Tot.length l == 4} = [0;0;0;0] + +type result #t0 #t1 #t2 #t3 #t4 = { + vector: t0; + adjacent_2_combined: t1; + adjacent_8_combined: t2; + combined': t3; + combined: t4; + } + +// /// We view `x` as a sequence of pairs of 16 bits, of the shape +// /// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. +// /// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. +// let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = +// mk_bv (fun i -> let j = i % 32 in +// // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` +// // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` +// let is_zero = +// // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` +// j >= n * 2 +// in +// if is_zero +// then 0 +// else if j < n +// then x i // we want to produce the bit `aⱼ` +// else +// // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` +// x (i - n + 16) +// ) + +// let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = +// mk_bv (fun i -> +// let j = i / 32 in +// let index = (List.Tot.index b (7 - j) % 8) * 32 in +// a (index + i % 32)) + +let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_madd_epi16_specialized' vector 4 + // Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + // (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127;f 128;f 129;f 130;f 131;f 132;f 133;f 134;f 135;f 136;f 137;f 138;f 139;f 140;f 141;f 142;f 143;f 144;f 145;f 146;f 147;f 148;f 149;f 150;f 151;f 152;f 153;f 154;f 155;f 156;f 157;f 158;f 159;f 160;f 161;f 162;f 163;f 164;f 165;f 166;f 167;f 168;f 169;f 170;f 171;f 172;f 173;f 174;f 175;f 176;f 177;f 178;f 179;f 180;f 181;f 182;f 183;f 184;f 185;f 186;f 187;f 188;f 189;f 190;f 191;f 192;f 193;f 194;f 195;f 196;f 197;f 198;f 199;f 200;f 201;f 202;f 203;f 204;f 205;f 206;f 207;f 208;f 209;f 210;f 211;f 212;f 213;f 214;f 215;f 216;f 217;f 218;f 219;f 220;f 221;f 222;f 223;f 224;f 225;f 226;f 227;f 228;f 229;f 230;f 231;f 232;f 233;f 234;f 235;f 236;f 237;f 238;f 239;f 240;f 241;f 242;f 243;f 244;f 245;f 246;f 247;f 248;f 249;f 250;f 251;f 252;f 253;f 254;f 255] +let map128 (f: (i: nat {i < 128}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127] + +let test (a b c d e f g h i j k l m n o p: (l: list bit {List.Tot.length l == 4})) = + let input = bv_of_list_list 4 [ + a;z;z;z; b;z;z;z; c;z;z;z; d;z;z;z; + e;z;z;z; f;z;z;z; g;z;z;z; h;z;z;z; + i;z;z;z; j;z;z;z; k;z;z;z; l;z;z;z; + m;z;z;z; n;z;z;z; o;z;z;z; p;z;z;z; + + // z;z;z;a; z;z;z;b; z;z;z;c; z;z;z;d; + // z;z;z;e; z;z;z;f; z;z;z;g; z;z;z;h; + // z;z;z;i; z;z;z;j; z;z;z;k; z;z;z;l; + // z;z;z;m; z;z;z;n; z;z;z;o; z;z;z;p; + ] in + serialize_4_ input + + +// let xx a b c d e f g h i j k l m n o p = +// Pervasives.norm [iota; primops; zeta_full; delta] ( +// Pervasives.norm [iota; primops; zeta; delta] ( +// let {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} = test a b c d e f g h i j k l m n o p in +// let vector = map256 (fun (idx: nat{idx < 256}) -> vector idx) in +// let adjacent_2_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_2_combined idx) in +// let adjacent_8_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_8_combined idx) in +// let combined' = map256 (fun (idx: nat{idx < 256}) -> combined' idx) in +// let combined = map128 (fun (idx: nat{idx < 128}) -> combined idx) in +// // map128 (fun (idx: nat {idx < 128}) -> test a b c d e f g h i j k l m n o p idx) +// {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} +// // (vector, adjacent_2_combined) +// ) +// ) + + + +open FStar.Tactics.V2 +open Tactics.Utils + + +open Libcrux_intrinsics.Avx2_extract {t_Vec256, t_Vec128} +// open BitVec.Intrinsics { + +// } + +#push-options "--compat_pre_core 0" +let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + BitVec.Intrinsics.mm256_madd_epi16 vector + (BitVec.Intrinsics.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); + assert (forall (i: nat {i < 64}). + // let local_i = i / 4 in + combined i == vector ((i / 4) * 16 + i % 4) + ) by ( + // unfold wrappers + norm [primops; iota; zeta; delta_namespace [ + `%BitVec.Intrinsics.mm256_shuffle_epi8; + `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; + `%BitVec.Intrinsics.mm256_madd_epi16; + `%BitVec.Intrinsics.mm256_castsi256_si128; + "BitVec.Utils"; + ]]; + Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + let reduce t = + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.FunctionalExtensionality"; + t; + `%BitVec.Utils.mk_bv; + `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]]; + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]] + in + reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); + reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); + grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); + flip (); smt (); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); + // focus (fun _ -> dump' "Goal!!"); + trivial () + )) + ); + combined diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst index 8cedb60aa..360b2424e 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst +++ b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst @@ -19,3 +19,19 @@ let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) assert_norm (List.Tot.length l == 8); l +let rw_get_bit_cast #t #u + (x: int_t t) (nth: usize) + : Lemma (requires v nth < bits u /\ v nth < bits u) + (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) + [SMTPat (get_bit (cast_mod #t #u x) nth)] + = () + +let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) + : Lemma (requires v y >= 0 /\ v y < bits t) + (ensures eq2 #bit (get_bit (x >>! y) i ) + (if v i < bits t - v y + then get_bit x (mk_int (v i + v y)) + else if signed t + then get_bit x (mk_int (bits t - 1)) + else 0)) + = () diff --git a/fstar-helpers/fstar-bitvec/dep.graph b/fstar-helpers/fstar-bitvec/dep.graph new file mode 100644 index 000000000..58c54a479 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/dep.graph @@ -0,0 +1,2316 @@ +digraph { + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "prims" + "fstar_seq" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "core_option" -> "fstar_pervasives" + "core_option" -> "fstar_pervasives" + "core_option" -> "prims" + "core_option" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_squash" -> "fstar_squash" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" + "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "prims" + "fstar_reflection_v1_compare" -> "prims" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_classical" -> "fstar_classical" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "fstar_seq_properties" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_calc" -> "fstar_calc" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "tactics_pow2" -> "fstar_tactics_effect" + "tactics_pow2" -> "fstar_tactics_effect" + "tactics_pow2" -> "fstar_tactics_v2" + "tactics_pow2" -> "fstar_tactics_v2" + "tactics_pow2" -> "tactics_utils" + "tactics_pow2" -> "tactics_utils" + "tactics_pow2" -> "core" + "tactics_pow2" -> "core" + "tactics_pow2" -> "fstar_pervasives" + "tactics_pow2" -> "fstar_pervasives" + "tactics_pow2" -> "prims" + "tactics_pow2" -> "prims" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "prims" + "fstar_option" -> "prims" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "prims" + "fstar_propositionalextensionality" -> "prims" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "prims" + "fstar_erasedlogic" -> "prims" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "core" + "bitveceq" -> "core" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "prims" + "bitveceq" -> "prims" + "bitveceq" -> "bitveceq" + "fstar_issue" -> "fstar_stubs_pprint" + "fstar_issue" -> "fstar_range" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "prims" + "fstar_issue" -> "prims" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "prims" + "fstar_mul" -> "prims" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_char" + "tactics_utils" -> "fstar_string" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "core" + "tactics_utils" -> "core" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "prims" + "tactics_utils" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "fstar_stubs_tactics_types" -> "fstar_issue" + "fstar_stubs_tactics_types" -> "fstar_range" + "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" + "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" + "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "prims" + "fstar_stubs_tactics_types" -> "prims" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "prims" + "fstar_exn" -> "prims" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "core_ops_range" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "core_ops" + "core_iter" -> "core_ops" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "rust_primitives" + "core_iter" -> "rust_primitives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "prims" + "core_iter" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" + "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "fstar_functionalextensionality" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "prims" + "core_iter_adapters_step_by" -> "prims" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_range" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_vconfig" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_reflection_v2" + "fstar_tactics_visit" -> "fstar_reflection_v2" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "prims" + "fstar_tactics_visit" -> "prims" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "fstar_uint16" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "prims" + "core_num_error" -> "prims" + "bitveceq" -> "fstar_math_lemmas" + "bitveceq" -> "fstar_math_lemmas" + "bitveceq" -> "fstar_seq" + "bitveceq" -> "fstar_seq" + "bitveceq" -> "fstar_classical_sugar" + "bitveceq" -> "fstar_classical_sugar" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "mkseq" + "bitveceq" -> "mkseq" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "core" + "bitveceq" -> "core" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "prims" + "bitveceq" -> "prims" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "lib_inttypes" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "prims" + "fstar_int_cast_full" -> "prims" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "core_slice" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "prims" + "rust_primitives_hax" -> "prims" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "prims" + "fstar_reflection_v2_formula" -> "prims" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_sealed" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "prims" + "fstar_tactics_unseal" -> "prims" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_int128" -> "fstar_int128" + "tactics_seq" -> "fstar_tactics_effect" + "tactics_seq" -> "fstar_tactics_effect" + "tactics_seq" -> "fstar_pervasives_native" + "tactics_seq" -> "fstar_pervasives_native" + "tactics_seq" -> "tactics_pow2" + "tactics_seq" -> "tactics_pow2" + "tactics_seq" -> "tactics_utils" + "tactics_seq" -> "tactics_utils" + "tactics_seq" -> "fstar_option" + "tactics_seq" -> "fstar_option" + "tactics_seq" -> "fstar_mul" + "tactics_seq" -> "fstar_mul" + "tactics_seq" -> "fstar_class_printable" + "tactics_seq" -> "fstar_class_printable" + "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_seq" -> "fstar_tactics_v2" + "tactics_seq" -> "fstar_tactics_v2" + "tactics_seq" -> "fstar_seq_base" + "tactics_seq" -> "fstar_seq_base" + "tactics_seq" -> "fstar_list_tot" + "tactics_seq" -> "fstar_list_tot" + "tactics_seq" -> "core" + "tactics_seq" -> "core" + "tactics_seq" -> "fstar_pervasives" + "tactics_seq" -> "fstar_pervasives" + "tactics_seq" -> "prims" + "tactics_seq" -> "prims" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_option" + "rust_primitives" -> "core_option" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "prims" + "rust_primitives" -> "prims" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_set" -> "fstar_set" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic" -> "fstar_classical" + "fstar_tactics_v1_logic" -> "fstar_classical" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_char" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_string" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "prims" + "fstar_class_printable" -> "prims" + "tactics_getbit" -> "fstar_functionalextensionality" + "tactics_getbit" -> "fstar_functionalextensionality" + "tactics_getbit" -> "tactics_machineints" + "tactics_getbit" -> "tactics_machineints" + "tactics_getbit" -> "rust_primitives_hax" + "tactics_getbit" -> "rust_primitives_hax" + "tactics_getbit" -> "tactics_seq" + "tactics_getbit" -> "tactics_seq" + "tactics_getbit" -> "bitveceq" + "tactics_getbit" -> "bitveceq" + "tactics_getbit" -> "tactics_pow2" + "tactics_getbit" -> "tactics_pow2" + "tactics_getbit" -> "tactics_utils" + "tactics_getbit" -> "tactics_utils" + "tactics_getbit" -> "fstar_option" + "tactics_getbit" -> "fstar_option" + "tactics_getbit" -> "fstar_mul" + "tactics_getbit" -> "fstar_mul" + "tactics_getbit" -> "fstar_class_printable" + "tactics_getbit" -> "fstar_class_printable" + "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_getbit" -> "fstar_tactics_v2" + "tactics_getbit" -> "fstar_tactics_v2" + "tactics_getbit" -> "fstar_list_tot" + "tactics_getbit" -> "fstar_list_tot" + "tactics_getbit" -> "core" + "tactics_getbit" -> "core" + "tactics_getbit" -> "fstar_pervasives" + "tactics_getbit" -> "fstar_pervasives" + "tactics_getbit" -> "prims" + "tactics_getbit" -> "prims" + "tactics_machineints" -> "fstar_uint8" + "tactics_machineints" -> "fstar_uint8" + "tactics_machineints" -> "fstar_tactics_effect" + "tactics_machineints" -> "fstar_tactics_effect" + "tactics_machineints" -> "fstar_list_tot" + "tactics_machineints" -> "fstar_list_tot" + "tactics_machineints" -> "lib_inttypes" + "tactics_machineints" -> "lib_inttypes" + "tactics_machineints" -> "fstar_pervasives_native" + "tactics_machineints" -> "fstar_pervasives_native" + "tactics_machineints" -> "rust_primitives_integers" + "tactics_machineints" -> "rust_primitives_integers" + "tactics_machineints" -> "tactics_utils" + "tactics_machineints" -> "tactics_utils" + "tactics_machineints" -> "fstar_option" + "tactics_machineints" -> "fstar_option" + "tactics_machineints" -> "fstar_class_printable" + "tactics_machineints" -> "fstar_class_printable" + "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_machineints" -> "fstar_tactics_v2" + "tactics_machineints" -> "fstar_tactics_v2" + "tactics_machineints" -> "fstar_pervasives" + "tactics_machineints" -> "fstar_pervasives" + "tactics_machineints" -> "prims" + "tactics_machineints" -> "prims" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "prims" + "fstar_preorder" -> "prims" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "prims" + "fstar_reflection_const" -> "prims" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_stubs_reflection_types" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "prims" + "fstar_tactics_v2" -> "prims" + "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "prims" + "fstar_stubs_tactics_result" -> "prims" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "fstar_tactics_effect" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_range" -> "fstar_sealed" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "prims" + "fstar_range" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "fstar_uint32" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "prims" + "fstar_st" -> "prims" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" + "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "bitvec_intrinsics" -> "prims" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "prims" + "fstar_char" -> "prims" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "fstar_int8" -> "fstar_int8" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tset" -> "fstar_tset" + "tactics_folds" -> "tactics_utils" + "tactics_folds" -> "tactics_utils" + "tactics_folds" -> "rust_primitives_hax_folds" + "tactics_folds" -> "fstar_option" + "tactics_folds" -> "fstar_option" + "tactics_folds" -> "fstar_mul" + "tactics_folds" -> "fstar_mul" + "tactics_folds" -> "fstar_class_printable" + "tactics_folds" -> "fstar_class_printable" + "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_folds" -> "fstar_tactics_v2" + "tactics_folds" -> "fstar_tactics_v2" + "tactics_folds" -> "fstar_seq_base" + "tactics_folds" -> "fstar_seq_base" + "tactics_folds" -> "fstar_list_tot" + "tactics_folds" -> "fstar_list_tot" + "tactics_folds" -> "core" + "tactics_folds" -> "core" + "tactics_folds" -> "fstar_pervasives" + "tactics_folds" -> "fstar_pervasives" + "tactics_folds" -> "prims" + "tactics_folds" -> "prims" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "prims" + "fstar_vconfig" -> "prims" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_vconfig" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "prims" + "fstar_reflection_v2_derived" -> "prims" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "prims" + "fstar_tactics" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "fstar_classical_sugar" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_stubs_reflection_types" -> "fstar_sealed" + "fstar_stubs_reflection_types" -> "fstar_range" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "prims" + "fstar_stubs_reflection_types" -> "prims" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1" -> "fstar_reflection_v1_compare" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_stubs_reflection_types" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "prims" + "fstar_tactics_v1" -> "prims" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "prims" + "fstar_list_tot" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "fstar_ghost" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "core" -> "core_ops" + "core" -> "core_ops" + "core" -> "core_iter" + "core" -> "core_num" + "core" -> "rust_primitives" + "core" -> "rust_primitives" + "core" -> "fstar_pervasives" + "core" -> "fstar_pervasives" + "core" -> "prims" + "core" -> "prims" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_builtins" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v2_logic" -> "fstar_classical" + "fstar_tactics_v2_logic" -> "fstar_classical" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_uint" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "fstar_uint8" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "prims" + "fstar_monotonic_pure" -> "prims" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "prims" + "core_ops_index" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "fstar_uint64" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "prims" + "fstar_float" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_int" -> "fstar_int" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "prims" + "fstar_list" -> "prims" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "prims" + "fstar_predicateextensionality" -> "prims" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_vconfig" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "prims" + "fstar_reflection_v1_derived" -> "prims" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "prims" + "fstar_reflection_v2_arith" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_sealed" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "fstar_reflection_termeq" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "prims" + "core_ops_range" -> "prims" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "prims" + "core_iter_traits_iterator" -> "prims" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "fstar_math_lemmas" + "fstar_tactics_builtins" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_builtins" -> "fstar_pervasives" + "fstar_tactics_builtins" -> "fstar_pervasives" + "fstar_tactics_builtins" -> "prims" + "fstar_tactics_builtins" -> "prims" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_char" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "prims" + "fstar_string" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "prims" + "fstar_tactics_util" -> "prims" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "prims" + "core_slice_iter" -> "prims" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "prims" + "core_ops_control_flow" -> "prims" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_slice_iter" + "core_slice" -> "core_slice_iter" + "core_slice" -> "fstar_seq" + "core_slice" -> "fstar_seq" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "prims" + "core_slice" -> "prims" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "prims" + "fstar_all" -> "prims" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "prims" + "fstar_stubs_syntax_syntax" -> "prims" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "prims" + "core_ops_arith" -> "prims" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "core_ops_range" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "prims" + "rust_primitives_hax_folds" -> "prims" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "fstar_reflection_v1" -> "fstar_reflection_v1_compare" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "prims" + "fstar_reflection_v1" -> "prims" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_bv" -> "fstar_bv" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "prims" + "fstar_list_tot_base" -> "prims" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "prims" + "fstar_math_lib" -> "prims" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "core_ops_arith" + "core_num" -> "core_num_error" + "core_num" -> "core_result" + "core_num" -> "core_result" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "lib_inttypes" + "core_num" -> "lib_inttypes" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint32" + "core_num" -> "fstar_uint32" + "core_num" -> "rust_primitives" + "core_num" -> "rust_primitives" + "core_num" -> "fstar_pervasives" + "core_num" -> "fstar_pervasives" + "core_num" -> "prims" + "core_num" -> "prims" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_int16" -> "fstar_int16" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "core" + "bitvec_utils" -> "core" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "prims" + "bitvec_utils" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "rust_primitives_integers" + "fstar_tactics_namedview" -> "fstar_range" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "prims" + "fstar_reflection_v2" -> "prims" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "prims" + "fstar_int_cast" -> "prims" + "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "prims" + "fstar_stubs_errors_msg" -> "prims" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_mapply" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_stubs_tactics_common" -> "fstar_range" + "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "fstar_seq_base" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_range" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_vconfig" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "prims" + "fstar_tactics_v2_derived" -> "prims" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_v2" + "fstar_uint128" -> "fstar_tactics_v2" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "fstar_uint128" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "rust_primitives_arrays" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_calc" -> "fstar_range" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "prims" + "fstar_sealed" -> "prims" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "fstar_indefinitedescription" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "fstar_int64" -> "fstar_int64" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" + "fstar_pervasives_native" -> "prims" + "fstar_pervasives_native" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_stubs_pprint" -> "fstar_float" + "fstar_stubs_pprint" -> "fstar_char" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "prims" + "fstar_stubs_pprint" -> "prims" + "fstar_sealed_inhabited" -> "fstar_sealed" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "prims" + "fstar_sealed_inhabited" -> "prims" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "fstar_tactics_namedview" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "prims" + "fstar_heap" -> "prims" + "mkseq" -> "fstar_tactics_effect" + "mkseq" -> "fstar_tactics_effect" + "mkseq" -> "fstar_classical" + "mkseq" -> "fstar_classical" + "mkseq" -> "fstar_list_tot" + "mkseq" -> "fstar_list_tot" + "mkseq" -> "fstar_pervasives_native" + "mkseq" -> "fstar_pervasives_native" + "mkseq" -> "fstar_tactics" + "mkseq" -> "fstar_tactics" + "mkseq" -> "fstar_seq" + "mkseq" -> "fstar_seq" + "mkseq" -> "fstar_reflection_v2" + "mkseq" -> "fstar_reflection_v2" + "mkseq" -> "rust_primitives_integers" + "mkseq" -> "rust_primitives_integers" + "mkseq" -> "fstar_tactics_v2" + "mkseq" -> "fstar_tactics_v2" + "mkseq" -> "core" + "mkseq" -> "core" + "mkseq" -> "fstar_pervasives" + "mkseq" -> "fstar_pervasives" + "mkseq" -> "prims" + "mkseq" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "bitvec_intrinsics_constants" -> "fstar_tactics_visit" + "bitvec_intrinsics_constants" -> "fstar_tactics_visit" + "bitvec_intrinsics_constants" -> "tactics_seq" + "bitvec_intrinsics_constants" -> "tactics_seq" + "bitvec_intrinsics_constants" -> "tactics_pow2" + "bitvec_intrinsics_constants" -> "tactics_pow2" + "bitvec_intrinsics_constants" -> "fstar_tactics_effect" + "bitvec_intrinsics_constants" -> "fstar_tactics_effect" + "bitvec_intrinsics_constants" -> "fstar_list_tot" + "bitvec_intrinsics_constants" -> "fstar_list_tot" + "bitvec_intrinsics_constants" -> "fstar_reflection_v2" + "bitvec_intrinsics_constants" -> "fstar_reflection_v2" + "bitvec_intrinsics_constants" -> "fstar_pervasives_native" + "bitvec_intrinsics_constants" -> "fstar_pervasives_native" + "bitvec_intrinsics_constants" -> "fstar_tactics" + "bitvec_intrinsics_constants" -> "fstar_tactics" + "bitvec_intrinsics_constants" -> "tactics_utils" + "bitvec_intrinsics_constants" -> "tactics_utils" + "bitvec_intrinsics_constants" -> "fstar_tactics_v2" + "bitvec_intrinsics_constants" -> "fstar_tactics_v2" + "bitvec_intrinsics_constants" -> "fstar_int32" + "bitvec_intrinsics_constants" -> "fstar_int32" + "bitvec_intrinsics_constants" -> "fstar_int16" + "bitvec_intrinsics_constants" -> "fstar_int16" + "bitvec_intrinsics_constants" -> "bitvec_equality" + "bitvec_intrinsics_constants" -> "bitvec_equality" + "bitvec_intrinsics_constants" -> "bitvec_utils" + "bitvec_intrinsics_constants" -> "bitvec_utils" + "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" + "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" + "bitvec_intrinsics_constants" -> "fstar_mul" + "bitvec_intrinsics_constants" -> "fstar_mul" + "bitvec_intrinsics_constants" -> "rust_primitives" + "bitvec_intrinsics_constants" -> "rust_primitives" + "bitvec_intrinsics_constants" -> "core" + "bitvec_intrinsics_constants" -> "core" + "bitvec_intrinsics_constants" -> "fstar_pervasives" + "bitvec_intrinsics_constants" -> "fstar_pervasives" + "bitvec_intrinsics_constants" -> "prims" + "bitvec_intrinsics_constants" -> "prims" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "prims" + "fstar_order" -> "prims" + "fstar_tactics_effect" -> "fstar_range" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "core_ops" -> "core_ops_index" + "core_ops" -> "core_ops_index" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "rust_primitives" + "core_ops" -> "rust_primitives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "prims" + "core_ops" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" + "core_result" -> "fstar_pervasives" + "core_result" -> "fstar_pervasives" + "core_result" -> "prims" + "core_result" -> "prims" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "fstar_monotonic_heap" + "fstar_tactics_smt" -> "fstar_vconfig" + "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "prims" + "core_iter_adapters_enumerate" -> "prims" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "prims" + "fstar_reflection_v1_formula" -> "prims" +} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index d952d213b..0ef3a6427 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -10,26 +10,8 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -open FStar.Tactics - -open Tactics.Utils - -let rw_get_bit_cast #t #u - (x: int_t t) (nth: usize) - : Lemma (requires v nth < bits u /\ v nth < bits u) - (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) - [SMTPat (get_bit (cast_mod #t #u x) nth)] - = () - -let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) - : Lemma (requires v y >= 0 /\ v y < bits t) - (ensures eq2 #bit (get_bit (x >>! y) i ) - (if v i < bits t - v y - then get_bit x (mk_int (v i + v y)) - else if signed t - then get_bit x (mk_int (bits t - 1)) - else 0)) - = () +// open FStar.Tactics +// open Tactics.Utils #push-options "--compat_pre_core 2" // [@@Tactics.postprocess_with (fun _ -> norm [delta_only [`%Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16]]; fail "x")] @@ -59,7 +41,9 @@ let deserialize_1_ (bytes: t_Slice u8 {Seq.length bytes == 2}) = in let result = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb in let bv = bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 in - assert (forall (i: nat {i < 16}). bv i == result (i * 16)) by ( + assert (forall (i: nat {i < 256}). (if i % 16 = 0 then bv i else 0) == result i) by ( + let open FStar.Tactics in + let open Tactics.Utils in let light_norm () = // simplify the term: compute `+/*+` on ints, remove cast/array_of_list/funext indirections norm [ iota; primops @@ -73,7 +57,7 @@ let deserialize_1_ (bytes: t_Slice u8 {Seq.length bytes == 2}) = ] in light_norm (); // instantiate the forall with concrete values, and run a tactic for each possible values - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> light_norm (); // norm index rewrites `Seq.index (Seq.seq_of_list ...) N` or // `List.Tot.index ... N` when we have list literals @@ -241,6 +225,8 @@ let deserialize_4_ (bytes: t_Slice u8) = Libcrux_intrinsics.Avx2_extract.t_Vec256) in let bv = bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 in assert (forall (i: nat {i < 64}). bv i == result ((i / 4) * 16 + i % 4)) by ( + let open FStar.Tactics in + let open Tactics.Utils in let light_norm () = norm [ iota; primops ; delta_namespace [ @@ -252,7 +238,7 @@ let deserialize_4_ (bytes: t_Slice u8) = ] ] in light_norm (); - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> light_norm (); Tactics.Seq.norm_index (); norm [iota; primops; zeta_full; @@ -307,8 +293,6 @@ let deserialize_5_ (bytes: t_Slice u8) = in Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients -open Tactics.Utils - let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -329,7 +313,9 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let result: t_Array u8 (sz 2) = Rust_primitives.Hax.array_of_list 2 list in let bv = bit_vec_of_int_t_array result 8 in assert (forall (i: nat {i < 16}). bv i == vector (i * 16)) by ( - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + let open FStar.Tactics in + let open Tactics.Utils in + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> let light_norm () = // get rid of indirections (array_of_list, funext, casts, etc.) norm [ iota; primops @@ -350,7 +336,7 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = // three times. It's basically the same thing. let _ = repeatn 3 (fun _ -> // Try to rewrite any subterm using the following three lemmas (corresponding to (1) (3) and (2)) - l_to_r[`rw_get_bit_cast; `bit_vec_to_int_t_lemma; `rw_get_bit_shr]; + l_to_r[`BitVec.Utils.rw_get_bit_cast; `bit_vec_to_int_t_lemma; `BitVec.Utils.rw_get_bit_shr]; // get rid of useless indirections light_norm (); // after using those lemmas, more mk_int and v appears, let's get rid of those @@ -652,9 +638,10 @@ let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in assume (BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0)); assert (forall (i: nat {i < 64}). - // let local_i = i / 4 in combined i == vector ((i / 4) * 16 + i % 4) ) by ( + let open FStar.Tactics in + let open Tactics.Utils in // unfold wrappers norm [primops; iota; zeta; delta_namespace [ `%BitVec.Intrinsics.mm256_shuffle_epi8; @@ -663,7 +650,7 @@ let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = `%BitVec.Intrinsics.mm256_castsi256_si128; "BitVec.Utils"; ]]; - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> let reduce t = norm [primops; iota; zeta_full; delta_namespace [ "FStar.FunctionalExtensionality"; @@ -678,7 +665,7 @@ let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); + grewrite (quote (BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); flip (); smt (); reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); trivial () diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 9d389017a..100a8a10d 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -47,7 +47,58 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // significant bit from each element and collate them into two bytes. let bits_packed = mm_movemask_epi8(msbs); - [bits_packed as u8, (bits_packed >> 8) as u8] + let result = [bits_packed as u8, (bits_packed >> 8) as u8]; + + hax_lib::fstar!( + r#" +let bv = bit_vec_of_int_t_array ${result} 8 in +assert (forall (i: nat {i < 16}). bv i == ${vector} (i * 16)) by ( + let open FStar.Tactics in + let open Tactics.Utils in + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> + let light_norm () = + // get rid of indirections (array_of_list, funext, casts, etc.) + norm [ iota; primops + ; delta_only [ + `%cast; `%cast_tc_integers + ; `%bit_vec_of_int_t_array + ; `%Rust_primitives.Hax.array_of_list + ; `%FunctionalExtensionality.on + ; `%bits;`%Lib.IntTypes.bits + ] + ] in + light_norm (); + // normalize List.index / Seq.index when we have literals + Tactics.Seq.norm_index (); + // here, we need to take care of (1) the cast and (2) the shift + // (introduced in `list`) and (3) bv<->i16 indirection + // introduced by `bit_vec_to_int_t`. Thus, we repeat the tactic + // three times. It's basically the same thing. + let _ = repeatn 3 (fun _ -> + // Try to rewrite any subterm using the following three lemmas (corresponding to (1) (3) and (2)) + l_to_r[`BitVec.Utils.rw_get_bit_cast; `bit_vec_to_int_t_lemma; `BitVec.Utils.rw_get_bit_shr]; + // get rid of useless indirections + light_norm (); + // after using those lemmas, more mk_int and v appears, let's get rid of those + Tactics.MachineInts.(transform norm_machine_int_term); + // Special treatment for case (3) + norm [primops; iota; zeta_full; delta_only [ + `%BitVec.Intrinsics.mm_movemask_epi8; + ]] + ) in + // Now we normalize away all the FunExt / mk_bv terms + norm [primops; iota; zeta_full; delta_namespace ["BitVec"; "FStar"]]; + // Ask the SMT to solve now + // dump' "Goal:"; + smt_sync (); + // dump' "Success"; + smt () + )) +) +"# + ); + + result } #[inline(always)] @@ -111,7 +162,53 @@ pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { // Now that they're all in the most significant bit position, shift them // down to the least significant bit. - mm256_srli_epi16::<15>(coefficients_in_msb) + let result = mm256_srli_epi16::<15>(coefficients_in_msb); + + hax_lib::fstar!( + r#" +let bv = bit_vec_of_int_t_array (${bytes} <: t_Array _ (sz 2)) 8 in +assert (forall (i: nat {i < 256}). (if i % 16 = 0 then bv i else 0) == result i) by ( + let open FStar.Tactics in + let open Tactics.Utils in + let light_norm () = + // simplify the term: compute `+/*+` on ints, remove cast/array_of_list/funext indirections + norm [ iota; primops + ; delta_namespace [ + `%cast; `%cast_tc_integers + ; `%bit_vec_of_int_t_array + ; `%Rust_primitives.Hax.array_of_list + ; "FStar.FunctionalExtensionality" + ; `%bits;`%Lib.IntTypes.bits + ] + ] in + light_norm (); + // instantiate the forall with concrete values, and run a tactic for each possible values + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> + light_norm (); + // norm index rewrites `Seq.index (Seq.seq_of_list ...) N` or + // `List.Tot.index ... N` when we have list literals + Tactics.Seq.norm_index (); + // Reduce more aggressively + norm [iota; primops; zeta_full; + delta_namespace [ + "FStar"; + "BitVec"; + ]; unascribe + ]; + // Rewrite and normalize machine integers, hopefully in ints + Tactics.MachineInts.(transform norm_machine_int_term); + // norm: primops to get rid of >=, <=, +, *, -, etc. + // zeta delta iota: normalize bitvectors + norm [iota; primops; zeta; delta]; + dump' "Goal:"; + // ask the smt to solve now + smt_sync () + )) +) +"# + ); + + result } #[inline(always)] @@ -171,6 +268,45 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { mm256_permutevar8x32_epi32(adjacent_8_combined, mm256_set_epi32(0, 0, 0, 0, 0, 0, 4, 0)); let combined = mm256_castsi256_si128(combined); + hax_lib::fstar!( + r#" +assert (forall (i: nat {i < 64}). + ${combined} i == ${vector} ((i / 4) * 16 + i % 4) +) by ( + let open FStar.Tactics in + let open Tactics.Utils in + // unfold wrappers + norm [primops; iota; zeta; delta_namespace [ + `%BitVec.Intrinsics.mm256_shuffle_epi8; + `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; + `%BitVec.Intrinsics.mm256_madd_epi16; + `%BitVec.Intrinsics.mm256_castsi256_si128; + "BitVec.Utils"; + ]]; + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> + let reduce t = + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.FunctionalExtensionality"; + t; + `%BitVec.Utils.mk_bv; + `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]]; + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]] + in + reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); + reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); + grewrite (quote (BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (${vector} i) 0))) (`true); + flip (); smt (); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); + trivial () + )) +); +"# + ); + // ... so that we can read them out in one go. mm_storeu_bytes_si128(&mut serialized, combined); @@ -239,7 +375,49 @@ pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); // Zero the remaining bits. - mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) + let result = mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)); + + hax_lib::fstar!( + r#" +let bv = bit_vec_of_int_t_array (${bytes} <: t_Array _ (sz 8)) 8 in +assert (forall (i: nat {i < 64}). bv i == ${result} ((i / 4) * 16 + i % 4)) by ( + let open FStar.Tactics in + let open Tactics.Utils in + let light_norm () = + norm [ iota; primops + ; delta_namespace [ + `%cast; `%cast_tc_integers + ; `%bit_vec_of_int_t_array + ; `%Rust_primitives.Hax.array_of_list + ; "FStar.FunctionalExtensionality" + ; `%bits;`%Lib.IntTypes.bits + ] + ] in + light_norm (); + prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> + light_norm (); + Tactics.Seq.norm_index (); + norm [iota; primops; zeta_full; + delta_namespace [ + "FStar"; + "BitVec"; + ]; unascribe + ]; + Tactics.MachineInts.(transform norm_machine_int_term); + norm [iota; primops; zeta_full; + delta_namespace [ + "FStar"; + "BitVec"; + ]; unascribe + ]; + dump' "Goal:"; + smt_sync () + )) +) +"# + ); + + result } #[inline(always)] diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst new file mode 100644 index 000000000..0e4db4e49 --- /dev/null +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst @@ -0,0 +1,69 @@ +module Libcrux_platform.X86 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } +Last available AST for this item: + +#[inline(never)] +#[inline(always)] +#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] +#[allow(non_upper_case_globals)] +#[no_std()] +#[feature(register_tool)] +#[register_tool(_hax)] +unsafe fn init__cpuid(leaf: int) -> core::core_arch::x86::cpuid::t_CpuidResult { + rust_primitives::hax::dropped_body +} + + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_platform"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "cpuid"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } +Last available AST for this item: + +#[inline(never)] +#[inline(always)] +#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] +#[allow(non_upper_case_globals)] +#[no_std()] +#[feature(register_tool)] +#[register_tool(_hax)] +unsafe fn init__cpuid_count( + leaf: int, + sub_leaf: int, +) -> core::core_arch::x86::cpuid::t_CpuidResult { + rust_primitives::hax::dropped_body +} + + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_platform"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "cpuid_count"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) From f1a7d8939d06ec9e229b1c09eceee744adf3a765 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 09:26:18 +0200 Subject: [PATCH 07/19] wip --- libcrux-intrinsics/src/avx2_extract.rs | 11 +++++------ libcrux-ml-kem/src/vector/avx2/serialize.rs | 8 +++++++- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index c370ac59b..4454babb5 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -16,8 +16,10 @@ pub struct Vec256(u8); #[derive(Copy, Clone)] #[hax_lib::fstar::replace( interface, - "unfold type $:{Vec128} = bit_vec 128 - val vec128_as_i16x8 (x:t_Vec128) : t_Array i16 (sz 8)" + r#" +unfold type $:{Vec128} = bit_vec 128 +val vec128_as_i16x8 (x:t_Vec128) : t_Array i16 (sz 8) +"# )] pub struct Vec128(u8); @@ -40,10 +42,7 @@ pub fn mm_storeu_si128(output: &mut [i16], vector: Vec128) { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_storeu_bytes_si128 as ${mm_storeu_bytes_si128}}" -)] +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_storeu_bytes_si128}")] pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { debug_assert_eq!(output.len(), 16); unimplemented!() diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 100a8a10d..03d042950 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -211,6 +211,11 @@ assert (forall (i: nat {i < 256}). (if i % 16 = 0 then bv i else 0) == result i) result } +#[hax_lib::requires( + fstar!( + r#"BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0)"# + ) +)] #[inline(always)] pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; @@ -303,7 +308,7 @@ assert (forall (i: nat {i < 64}). reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); trivial () )) -); +) "# ); @@ -313,6 +318,7 @@ assert (forall (i: nat {i < 64}). serialized[0..8].try_into().unwrap() } +#[hax_lib::requires(bytes.len() == 8)] #[inline(always)] pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { // Every 4 bits from each byte of input should be put into its own 16-bit lane. From 11cd99108b59f384a9e67e97f621c7a369bdb362 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 11:28:58 +0200 Subject: [PATCH 08/19] fixes --- .../fstar-bitvec/BitVec.Intrinsics.fsti | 2 +- libcrux-intrinsics/src/avx2_extract.rs | 24 +++++++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti index 59b90347a..6d866e472 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti @@ -285,7 +285,7 @@ let mm256_madd_epi16 : bit_vec 256 = result -val mm_storeu_bytes_si128 (_output vec: bit_vec 128): t_Slice u8 +val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128): t_Slice u8 open FStar.Stubs.Tactics.V2.Builtins open FStar.Stubs.Tactics.V2 diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index 65b5ec84a..5710c9675 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -135,7 +135,14 @@ pub fn mm256_set_epi8( Spec.Utils.create (sz 16) $constant"))] #[hax_lib::fstar::replace( interface, - "include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}}" + r#" +include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}} +val lemma_mm256_set1_epi16 constant + : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) + == Spec.Utils.create (sz 16) constant + ) + [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] +"# )] pub fn mm256_set1_epi16(constant: i16) -> Vec256 { unimplemented!() @@ -148,7 +155,7 @@ include BitVec.Intrinsics {mm256_set_epi16 as ${mm256_set_epi16}} let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : Lemma (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit()" + [SMTPat (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() "# )] pub fn mm256_set_epi16( @@ -273,8 +280,17 @@ pub fn mm256_mul_epu32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (&.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] +#[hax_lib::fstar::replace( + interface, + r#" +include BitVec.Intrinsics {mm256_and_si256 as ${mm256_and_si256}} +val lemma_mm256_and_si256 lhs rhs + : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) + == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) + ) + [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] +"# +)] pub fn mm256_and_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } From 1afb5c2a819ec9b36f1c97f9fb63b588c2066cdc Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 11:29:22 +0200 Subject: [PATCH 09/19] regenerated F* --- .../Libcrux_intrinsics.Avx2_extract.fst | 128 +---- .../Libcrux_intrinsics.Avx2_extract.fsti | 186 +++++-- ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 20 +- ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 22 +- ...rux_ml_kem.Ind_cca.Instantiations.Neon.fst | 20 +- ...ux_ml_kem.Ind_cca.Instantiations.Neon.fsti | 22 +- ...ml_kem.Ind_cca.Instantiations.Portable.fst | 20 +- ...l_kem.Ind_cca.Instantiations.Portable.fsti | 22 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fst | 46 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fsti | 20 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fst | 30 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fsti | 14 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fst | 30 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fsti | 14 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fst | 30 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fsti | 14 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fst | 30 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fsti | 14 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fst | 26 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fsti | 14 +- .../Libcrux_ml_kem.Mlkem512.Neon.fst | 26 +- .../Libcrux_ml_kem.Mlkem512.Neon.fsti | 14 +- .../Libcrux_ml_kem.Mlkem512.Portable.fst | 26 +- .../Libcrux_ml_kem.Mlkem512.Portable.fsti | 14 +- .../extraction/Libcrux_ml_kem.Mlkem512.fst | 26 +- .../extraction/Libcrux_ml_kem.Mlkem512.fsti | 14 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fst | 30 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fsti | 14 +- .../Libcrux_ml_kem.Mlkem768.Neon.fst | 30 +- .../Libcrux_ml_kem.Mlkem768.Neon.fsti | 14 +- .../Libcrux_ml_kem.Mlkem768.Portable.fst | 30 +- .../Libcrux_ml_kem.Mlkem768.Portable.fsti | 14 +- .../extraction/Libcrux_ml_kem.Mlkem768.fst | 30 +- .../extraction/Libcrux_ml_kem.Mlkem768.fsti | 14 +- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 466 +++++++++--------- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 8 +- ...bcrux_ml_kem.Vector.Portable.Serialize.fst | 242 ++++----- ...crux_ml_kem.Vector.Portable.Serialize.fsti | 32 +- .../Libcrux_ml_kem.Vector.Portable.fsti | 2 +- 39 files changed, 870 insertions(+), 898 deletions(-) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst index 44910de0c..0428a32bc 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst @@ -1,125 +1,11 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2213; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 2; line = 213 }; - lo = { Span.Imported.col = 0; line = 207 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2213; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 2; line = 213 }; - lo = { Span.Imported.col = 0; line = 207 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"2\"; line = \"213\" };\n lo = { Types.col = \"0\"; line = \"207\" } };\n ty = Types.Never }")); - span = - { Span.id = 2213; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 2; line = 213 }; - lo = { Span.Imported.col = 0; line = 207 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2213; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 2; line = 213 }; - lo = { Span.Imported.col = 0; line = 207 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_mullo_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) +include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} +val lemma_mm256_set1_epi16 lhs rhs + : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) + == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) + ) + [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 828f0006f..272f5a4f3 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -1,21 +1,27 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul unfold type t_Vec128 = bit_vec 128 - val vec128_as_i16x8 (x:t_Vec128) : t_Array i16 (sz 8) +val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) +let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i unfold type t_Vec256 = bit_vec 256 - val vec256_as_i16x16 (x:t_Vec256) : t_Array i16 (sz 16) - -val mm256_add_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) +let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i + +val mm256_add_epi16 (lhs rhs: t_Vec256) + : Prims.Pure t_Vec256 + Prims.l_True + (ensures + fun result -> + let result:t_Vec256 = result in + vec256_as_i16x16 result == + Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} -// val mm256_and_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) @@ -24,15 +30,11 @@ val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) val mm256_castsi128_si256 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128} - val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_cvtepi16_epi32 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256} - val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -42,13 +44,18 @@ val mm256_loadu_si256_i16 (input: t_Slice i16) val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16} - val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mulhi_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16} +val mm256_mulhi_epi16 (lhs rhs: t_Vec256) + : Prims.Pure t_Vec256 + Prims.l_True + (ensures + fun result -> + let result:t_Vec256 = result in + vec256_as_i16x16 result == + Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) + (vec256_as_i16x16 lhs) + (vec256_as_i16x16 rhs)) val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -60,29 +67,28 @@ val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_permutevar8x32_epi32} - -include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} -// val mm256_set1_epi16 (constant: i16) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permutevar8x32_epi32 (vector control: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} - -include BitVec.Intrinsics {mm256_set_epi32} +val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi8} +val mm256_set_epi8 + (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + i8) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_shuffle_epi8} - -include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} +val mm256_shuffle_epi8 (vector control: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -94,13 +100,17 @@ val mm256_sllv_epi32 (vector counts: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure t_Vec256 + (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) + (ensures + fun result -> + let result:t_Vec256 = result in + vec256_as_i16x16 result == + Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector)) val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} - val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -113,7 +123,14 @@ val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val mm256_sub_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sub_epi16 (lhs rhs: t_Vec256) + : Prims.Pure t_Vec256 + Prims.l_True + (ensures + fun result -> + let result:t_Vec256 = result in + vec256_as_i16x16 result == + Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) val mm256_unpackhi_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -128,19 +145,44 @@ val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm_add_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm_add_epi16 (lhs rhs: t_Vec128) + : Prims.Pure t_Vec128 + Prims.l_True + (ensures + fun result -> + let result:t_Vec128 = result in + vec128_as_i16x8 result == + Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} - -val mm_mulhi_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) - -val mm_mullo_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) - -include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} - -val mm_set1_epi16 (constant: i16) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm_mulhi_epi16 (lhs rhs: t_Vec128) + : Prims.Pure t_Vec128 + Prims.l_True + (ensures + fun result -> + let result:t_Vec128 = result in + vec128_as_i16x8 result == + Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) + (vec128_as_i16x8 lhs) + (vec128_as_i16x8 rhs)) + +val mm_mullo_epi16 (lhs rhs: t_Vec128) + : Prims.Pure t_Vec128 + Prims.l_True + (ensures + fun result -> + let result:t_Vec128 = result in + vec128_as_i16x8 result == + Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) + +val mm_set1_epi16 (constant: i16) + : Prims.Pure t_Vec128 + Prims.l_True + (ensures + fun result -> + let result:t_Vec128 = result in + vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) val mm_set_epi8 (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: @@ -150,10 +192,62 @@ val mm_set_epi8 val mm_shuffle_epi8 (vector control: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_bytes_si128 (output: t_Slice u8) (vector: t_Vec128) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm_storeu_bytes_si128} val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128) - : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice i16) + Prims.l_True + (ensures + fun output_future -> + let output_future:t_Slice i16 = output_future in + (Core.Slice.impl__len #i16 output_future <: usize) =. + (Core.Slice.impl__len #i16 output <: usize)) + +val mm_sub_epi16 (lhs rhs: t_Vec128) + : Prims.Pure t_Vec128 + Prims.l_True + (ensures + fun result -> + let result:t_Vec128 = result in + vec128_as_i16x8 result == + Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) + +include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} +val lemma_mm256_and_si256 lhs rhs + : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) + == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) + ) + [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] + +include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128} + +include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256} + +include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16} -val mm_sub_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16} +let lemma_mm256_mullo_epi16 v1 v2 : + Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) == + Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) + [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit() + +include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} +val lemma_mm256_set1_epi16 constant + : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) + == Spec.Utils.create (sz 16) constant + ) + [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] + +include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} +let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : + Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == + Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) + [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() + +include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} + +include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} + +include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} + +include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index b0bfe3100..fef0d96bb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -11,16 +11,6 @@ let _ = let open Libcrux_ml_kem.Vector.Avx2 in () -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - public_key - let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -56,6 +46,16 @@ let generate_keypair #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash randomness +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + public_key + let encapsulate_unpacked (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 5fe17a0d5..60d996386 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -11,17 +11,6 @@ let _ = let open Libcrux_ml_kem.Vector.Avx2 in () -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -79,6 +68,17 @@ val generate_keypair v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable encapsualte val encapsulate_unpacked (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index 0f1cea879..1b25322d3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -11,16 +11,6 @@ let _ = let open Libcrux_ml_kem.Vector.Neon in () -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - public_key - let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -58,6 +48,16 @@ let generate_keypair #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + public_key + let encapsulate_unpacked (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index 0fa0378fe..72a311393 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -11,17 +11,6 @@ let _ = let open Libcrux_ml_kem.Vector.Neon in () -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -79,6 +68,17 @@ val generate_keypair v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable encapsualte val encapsulate_unpacked (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 7dd84a30d..bea8567f3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -11,16 +11,6 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - public_key - let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -58,6 +48,16 @@ let generate_keypair #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + let encapsulate_unpacked (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 3fd260dcf..6ba23785d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -11,17 +11,6 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -79,6 +68,17 @@ val generate_keypair v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable encapsualte val encapsulate_unpacked (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index 2e6c0ad1a..2ca3571c4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -3,29 +3,6 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - else - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -114,3 +91,26 @@ let generate_keypair v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness + +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + else + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index 2c6e2ba1c..f74dd66e8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -3,16 +3,6 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -67,3 +57,13 @@ val generate_keypair v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) + +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index f5a15cc47..3becfc426 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -43,6 +28,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 10bf32a75..176cc9784 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index 61b49bfcb..2c782f7a5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem1024.Neon open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -43,6 +28,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index 6e171d854..ab4413e4d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem1024.Neon open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index d2950b172..92509e13b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem1024.Portable open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -43,6 +28,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index 6d42b3e47..8397ad5eb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem1024.Portable open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index 7d832fab7..ae991e1ab 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem1024 open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -54,3 +39,18 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + if + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index d15ce31bd..fd793d70a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -62,13 +62,6 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -117,3 +110,10 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index e39107954..84c164f5d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -3,19 +3,6 @@ module Libcrux_ml_kem.Mlkem512.Avx2 open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -41,6 +28,19 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 192) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + else + Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index 1a2c2f239..222fdaf4d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem512.Avx2 open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 7dcbffd48..103a0efc1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -3,19 +3,6 @@ module Libcrux_ml_kem.Mlkem512.Neon open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -41,6 +28,19 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 192) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + else + Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 3696ab7e7..0bb4a418a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem512.Neon open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index 559752b4d..d71d18276 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -3,19 +3,6 @@ module Libcrux_ml_kem.Mlkem512.Portable open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -41,6 +28,19 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 192) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + else + Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index 02edf609b..f238d623b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem512.Portable open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index 522183ced..3e97c4564 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -3,19 +3,6 @@ module Libcrux_ml_kem.Mlkem512 open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -52,3 +39,16 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + if + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + else + Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index da439bfc4..ef6a7c30f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -37,13 +37,6 @@ let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -92,3 +85,10 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem512_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index b32adb8db..aa6931d6c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem768.Avx2 open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -43,6 +28,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index d671b9c1a..dbf416647 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem768.Avx2 open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index e545a7f2f..2846f5a89 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem768.Neon open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -43,6 +28,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index 30db4218e..d9968514d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem768.Neon open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index 3fa0c8aef..2f77deb3b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem768.Portable open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -43,6 +28,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + if + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + let encapsulate_unpacked (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index 574a4c120..0edff9a45 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -3,13 +3,6 @@ module Libcrux_ml_kem.Mlkem768.Portable open Core open FStar.Mul -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -35,6 +28,13 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 35e4320cf..3fa153282 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -3,21 +3,6 @@ module Libcrux_ml_kem.Mlkem768 open Core open FStar.Mul -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -54,3 +39,18 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + if + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + then + Core.Option.Option_Some public_key + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + else + Core.Option.Option_None + <: + Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index a793a2287..9e2339b6f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -62,13 +62,6 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -117,3 +110,10 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem768_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index dc40a8552..b0c0cc4cb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -2,7 +2,6 @@ module Libcrux_ml_kem.Vector.Avx2.Serialize #set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -#push-options "--ext context_pruning" let _ = (* This module has implicit dependencies, here we make them explicit. *) @@ -10,12 +9,7 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -// open FStar.Tactics -// open Tactics.Utils - -#push-options "--compat_pre_core 2" -// [@@Tactics.postprocess_with (fun _ -> norm [delta_only [`%Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16]]; fail "x")] -let deserialize_1_ (bytes: t_Slice u8 {Seq.length bytes == 2}) = +let deserialize_1_ (bytes: t_Slice u8) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) @@ -27,58 +21,58 @@ let deserialize_1_ (bytes: t_Slice u8 {Seq.length bytes == 2}) = (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) in - let shift_lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - light_norm (); - // norm index rewrites `Seq.index (Seq.seq_of_list ...) N` or - // `List.Tot.index ... N` when we have list literals - Tactics.Seq.norm_index (); - // Reduce more aggressively - norm [iota; primops; zeta_full; - delta_namespace [ - "FStar"; - "BitVec"; - ]; unascribe - ]; - // Rewrite and normalize machine integers, hopefully in ints - Tactics.MachineInts.(transform norm_machine_int_term); - // norm: primops to get rid of >=, <=, +, *, -, etc. - // zeta delta iota: normalize bitvectors - norm [iota; primops; zeta; delta]; - dump' "Goal:"; - // ask the smt to solve now - smt_sync () - )) - ); + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + (); + (let open FStar.Tactics in + let open Tactics.Utils in + let light_norm () = + norm [ + iota; + primops; + delta_namespace [ + `%cast; + `%cast_tc_integers; + `%bit_vec_of_int_t_array; + `%Rust_primitives.Hax.array_of_list; + "FStar.FunctionalExtensionality"; + `%bits; + `%Lib.IntTypes.bits + ] + ] + in + light_norm (); + prove_forall_nat_pointwise (print_time "SMT query succeeded in " + (fun _ -> + light_norm (); + Tactics.Seq.norm_index (); + norm [ + iota; + primops; + zeta_full; + delta_namespace ["FStar"; "BitVec"]; + unascribe + ]; + (let open Tactics.MachineInts in transform norm_machine_int_term); + norm [iota; primops; zeta; delta]; + dump' "Goal:"; + smt_sync ())))) + in result let deserialize_10_ (bytes: t_Slice u8) = @@ -198,7 +192,6 @@ let deserialize_12_ (bytes: t_Slice u8) = Libcrux_intrinsics.Avx2_extract.t_Vec256) let deserialize_4_ (bytes: t_Slice u8) = - assume (Seq.length bytes == 8); let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 7 ] <: u8) <: i16) (cast (bytes.[ sz 7 ] <: u8) <: i16) (cast (bytes.[ sz 6 ] <: u8) <: i16) @@ -211,53 +204,70 @@ let deserialize_4_ (bytes: t_Slice u8) = (cast (bytes.[ sz 0 ] <: u8) <: i16) in let coefficients_in_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - light_norm (); - Tactics.Seq.norm_index (); - norm [iota; primops; zeta_full; - delta_namespace [ - "FStar"; - "BitVec"; - ]; unascribe - ]; - Tactics.MachineInts.(transform norm_machine_int_term); - norm [iota; primops; zeta_full; - delta_namespace [ - "FStar"; - "BitVec"; - ]; unascribe - ]; - dump' "Goal:"; - smt_sync () - )) - ); + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients_in_lsb + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s < + (); + (let open FStar.Tactics in + let open Tactics.Utils in + let light_norm () = + norm [ + iota; + primops; + delta_namespace [ + `%cast; + `%cast_tc_integers; + `%bit_vec_of_int_t_array; + `%Rust_primitives.Hax.array_of_list; + "FStar.FunctionalExtensionality"; + `%bits; + `%Lib.IntTypes.bits + ] + ] + in + light_norm (); + prove_forall_nat_pointwise (print_time "SMT query succeeded in " + (fun _ -> + light_norm (); + Tactics.Seq.norm_index (); + norm [ + iota; + primops; + zeta_full; + delta_namespace ["FStar"; "BitVec"]; + unascribe + ]; + (let open Tactics.MachineInts in transform norm_machine_int_term); + norm [ + iota; + primops; + zeta_full; + delta_namespace ["FStar"; "BitVec"]; + unascribe + ]; + dump' "Goal:"; + smt_sync ())))) + in result let deserialize_5_ (bytes: t_Slice u8) = @@ -293,7 +303,6 @@ let deserialize_5_ (bytes: t_Slice u8) = in Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients - let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector @@ -308,53 +317,58 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs in let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in - let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - let result: t_Array u8 (sz 2) = Rust_primitives.Hax.array_of_list 2 list in - let bv = bit_vec_of_int_t_array result 8 in - assert (forall (i: nat {i < 16}). bv i == vector (i * 16)) by ( - let open FStar.Tactics in - let open Tactics.Utils in - prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> - let light_norm () = - // get rid of indirections (array_of_list, funext, casts, etc.) - norm [ iota; primops - ; delta_only [ - `%cast; `%cast_tc_integers - ; `%bit_vec_of_int_t_array - ; `%Rust_primitives.Hax.array_of_list - ; `%FunctionalExtensionality.on - ; `%bits;`%Lib.IntTypes.bits - ] - ] in - light_norm (); - // normalize List.index / Seq.index when we have literals - Tactics.Seq.norm_index (); - // here, we need to take care of (1) the cast and (2) the shift - // (introduced in `list`) and (3) bv<->i16 indirection - // introduced by `bit_vec_to_int_t`. Thus, we repeat the tactic - // three times. It's basically the same thing. - let _ = repeatn 3 (fun _ -> - // Try to rewrite any subterm using the following three lemmas (corresponding to (1) (3) and (2)) - l_to_r[`BitVec.Utils.rw_get_bit_cast; `bit_vec_to_int_t_lemma; `BitVec.Utils.rw_get_bit_shr]; - // get rid of useless indirections - light_norm (); - // after using those lemmas, more mk_int and v appears, let's get rid of those - Tactics.MachineInts.(transform norm_machine_int_term); - // Special treatment for case (3) - norm [primops; iota; zeta_full; delta_only [ - `%BitVec.Intrinsics.mm_movemask_epi8; - ]] - ) in - // Now we normalize away all the FunExt / mk_bv terms - norm [primops; iota; zeta_full; delta_namespace ["BitVec"; "FStar"]]; - // Ask the SMT to solve now - // dump' "Goal:"; - smt_sync (); - // dump' "Success"; - smt () - )) - ); + let result:t_Array u8 (sz 2) = + let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + in + let _:Prims.unit = + let bv = bit_vec_of_int_t_array result 8 in + FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}). bv i == vector (i * 16)) + (fun _ -> + (); + (let open FStar.Tactics in + let open Tactics.Utils in + prove_forall_nat_pointwise (print_time "SMT query succeeded in " + (fun _ -> + let light_norm () = + norm [ + iota; + primops; + delta_only [ + `%cast; + `%cast_tc_integers; + `%bit_vec_of_int_t_array; + `%Rust_primitives.Hax.array_of_list; + `%FunctionalExtensionality.on; + `%bits; + `%Lib.IntTypes.bits + ] + ] + in + light_norm (); + Tactics.Seq.norm_index (); + let _ = + repeatn 3 + (fun _ -> + l_to_r [ + `BitVec.Utils.rw_get_bit_cast; + `bit_vec_to_int_t_lemma; + `BitVec.Utils.rw_get_bit_shr + ]; + light_norm (); + (let open Tactics.MachineInts in transform norm_machine_int_term); + norm [ + primops; + iota; + zeta_full; + delta_only [`%BitVec.Intrinsics.mm_movemask_epi8] + ]) + in + norm [primops; iota; zeta_full; delta_namespace ["BitVec"; "FStar"]]; + smt_sync (); + smt ())))) + in result let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = @@ -600,95 +614,6 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) -let dummy_lemma n f: Lemma (BitVec.Intrinsics.forall_bool #n f == true) = admit () - -let suppose_false (scrut: bool) (arm_true arm_false: bit) - : Lemma - (requires not scrut) - (ensures (match scrut with true -> arm_true | false -> arm_false) == arm_false) - = () - -#push-options "--print_implicits" -let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); - assert (forall (i: nat {i < 64}). - combined i == vector ((i / 4) * 16 + i % 4) - ) by ( - let open FStar.Tactics in - let open Tactics.Utils in - // unfold wrappers - norm [primops; iota; zeta; delta_namespace [ - `%BitVec.Intrinsics.mm256_shuffle_epi8; - `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; - `%BitVec.Intrinsics.mm256_madd_epi16; - `%BitVec.Intrinsics.mm256_castsi256_si128; - "BitVec.Utils"; - ]]; - prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> - let reduce t = - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.FunctionalExtensionality"; - t; - `%BitVec.Utils.mk_bv; - `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]]; - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]] - in - reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); - reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote (BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); - flip (); smt (); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); - trivial () - )) - ); - combined - // let serialized:t_Array u8 (sz 16) = - // Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined - // in - // Core.Result.impl__unwrap #(t_Array u8 (sz 8)) - // #Core.Array.t_TryFromSliceError - // (Core.Convert.f_try_into #(t_Slice u8) - // #(t_Array u8 (sz 8)) - // #FStar.Tactics.Typeclasses.solve - // (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } - // <: - // Core.Ops.Range.t_Range usize ] - // <: - // t_Slice u8) - // <: - // Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) - - let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -716,6 +641,69 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined in + let _:Prims.unit = + FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 64}). + combined i == vector ((i / 4) * 16 + i % 4)) + (fun _ -> + (); + (let open FStar.Tactics in + let open Tactics.Utils in + norm [ + primops; + iota; + zeta; + delta_namespace [ + `%BitVec.Intrinsics.mm256_shuffle_epi8; + `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; + `%BitVec.Intrinsics.mm256_madd_epi16; + `%BitVec.Intrinsics.mm256_castsi256_si128; + "BitVec.Utils" + ] + ]; + prove_forall_nat_pointwise (print_time "SMT query succeeded in " + (fun _ -> + let reduce t = + norm [ + primops; + iota; + zeta_full; + delta_namespace [ + "FStar.FunctionalExtensionality"; + t; + `%BitVec.Utils.mk_bv; + `%( + ); + `%op_Subtraction; + `%( / ); + `%( * ); + `%( % ) + ] + ]; + norm [ + primops; + iota; + zeta_full; + delta_namespace [ + "FStar.List.Tot"; + `%( + ); + `%op_Subtraction; + `%( / ); + `%( * ); + `%( % ) + ] + ] + in + reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); + reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); + grewrite (quote + (BitVec.Intrinsics.forall_bool #256 + (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) + (`true); + flip (); + smt (); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); + trivial ())))) + in let serialized:t_Array u8 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti index 259bbee63..2b90d7374 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti @@ -19,7 +19,9 @@ val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val deserialize_4_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) + (fun _ -> Prims.l_True) val deserialize_5_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -37,7 +39,9 @@ val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 8)) + (requires BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0)) + (fun _ -> Prims.l_True) val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index eed6ec9d6..b676b472e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -244,6 +244,127 @@ let serialize_5_int (v: t_Slice i16) = in r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8) +let deserialize_11_ (bytes: t_Slice u8) = + let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 11; Core.Ops.Range.f_end = sz 22 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + { + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + let list = + [ + v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; + v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + +let deserialize_5_ (bytes: t_Slice u8) = + let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 5 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + { + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + let list = + [ + v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; + v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + +let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let r0_10_:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = + serialize_11_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + in + let r11_21_:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = + serialize_11_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + in + let list = + [ + r0_10_._1; r0_10_._2; r0_10_._3; r0_10_._4; r0_10_._5; r0_10_._6; r0_10_._7; r0_10_._8; + r0_10_._9; r0_10_._10; r0_10_._11; r11_21_._1; r11_21_._2; r11_21_._3; r11_21_._4; r11_21_._5; + r11_21_._6; r11_21_._7; r11_21_._8; r11_21_._9; r11_21_._10; r11_21_._11 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 22); + Rust_primitives.Hax.array_of_list 22 list + +let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let r0_4_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + in + let r5_9_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + in + let list = + [ + r0_4_._1; r0_4_._2; r0_4_._3; r0_4_._4; r0_4_._5; r5_9_._1; r5_9_._2; r5_9_._3; r5_9_._4; + r5_9_._5 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 10); + Rust_primitives.Hax.array_of_list 10 list + let deserialize_1_ (v: t_Slice u8) = let result0:i16 = cast ((v.[ sz 0 ] <: u8) &. 1uy <: u8) <: i16 in let result1:i16 = cast (((v.[ sz 0 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in @@ -348,36 +469,6 @@ let deserialize_10_lemma inputs = #pop-options -let deserialize_11_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 11; Core.Ops.Range.f_end = sz 22 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - let deserialize_12_ (bytes: t_Slice u8) = let v0_1_:(i16 & i16) = deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } @@ -522,36 +613,6 @@ let deserialize_4_lemma inputs = #pop-options -let deserialize_5_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 5 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 10 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let result0:u8 = (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. @@ -742,37 +803,6 @@ let serialize_10_lemma inputs = #pop-options -let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let r0_10_:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = - serialize_11_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - in - let r11_21_:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = - serialize_11_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - in - let list = - [ - r0_10_._1; r0_10_._2; r0_10_._3; r0_10_._4; r0_10_._5; r0_10_._6; r0_10_._7; r0_10_._8; - r0_10_._9; r0_10_._10; r0_10_._11; r11_21_._1; r11_21_._2; r11_21_._3; r11_21_._4; r11_21_._5; - r11_21_._6; r11_21_._7; r11_21_._8; r11_21_._9; r11_21_._10; r11_21_._11 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 22); - Rust_primitives.Hax.array_of_list 22 list - let serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let r0_2_:(u8 & u8 & u8) = serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { @@ -943,33 +973,3 @@ let serialize_4_lemma inputs = (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4)) #pop-options - -let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let r0_4_:(u8 & u8 & u8 & u8 & u8) = - serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - in - let r5_9_:(u8 & u8 & u8 & u8 & u8) = - serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - in - let list = - [ - r0_4_._1; r0_4_._2; r0_4_._3; r0_4_._4; r0_4_._5; r5_9_._1; r5_9_._2; r5_9_._3; r5_9_._4; - r5_9_._5 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 10); - Rust_primitives.Hax.array_of_list 10 list diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti index 16fd7000e..856f8399d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti @@ -53,6 +53,22 @@ val serialize_5_int (v: t_Slice i16) (requires Core.Slice.impl__len #i16 v =. sz 8) (fun _ -> Prims.l_True) +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires Core.Slice.impl__len #u8 bytes =. sz 22) + (fun _ -> Prims.l_True) + +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires Core.Slice.impl__len #u8 bytes =. sz 10) + (fun _ -> Prims.l_True) + +val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) + val deserialize_1_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 v =. sz 2) @@ -69,11 +85,6 @@ val deserialize_10_ (bytes: t_Slice u8) val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 22) - (fun _ -> Prims.l_True) - val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 24) @@ -90,11 +101,6 @@ val deserialize_4_ (bytes: t_Slice u8) val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 10) - (fun _ -> Prims.l_True) - val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) @@ -109,9 +115,6 @@ val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) (ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) -val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) @@ -125,6 +128,3 @@ val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) - -val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 1ab0710b5..6800ca944 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -30,7 +30,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x } -#push-options "--z3rlimit 400" +#push-options "--z3rlimit 200" [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations From 48b0caaa63d17997d3cb37b5f9cced79efd9c1c3 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 11:33:10 +0200 Subject: [PATCH 10/19] Avx2.Serialize: verified --- libcrux-ml-kem/proofs/fstar/extraction/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index d8a390871..28ef09d36 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -1,4 +1,5 @@ SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst +SLOW_MODULES += Libcrux_ml_kem.Vector.Avx2.Serialize.fst ADMIT_MODULES = Libcrux_ml_kem.Ind_cca.Unpacked.fst \ Libcrux_ml_kem.Invert_ntt.fst \ @@ -8,7 +9,6 @@ ADMIT_MODULES = Libcrux_ml_kem.Ind_cca.Unpacked.fst \ Libcrux_ml_kem.Vector.Avx2.fst \ Libcrux_ml_kem.Vector.Avx2.Ntt.fst \ Libcrux_ml_kem.Vector.Avx2.Sampling.fst \ - Libcrux_ml_kem.Vector.Avx2.Serialize.fst \ Libcrux_ml_kem.Vector.Portable.Compress.fst \ Libcrux_ml_kem.Vector.Portable.Sampling.fst \ Libcrux_ml_kem.Vector.Portable.Vector_type.fst \ From aaee0796430a5157cce3854346ebe32e3e039fce Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 13:11:16 +0200 Subject: [PATCH 11/19] fix specs --- libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst index 7af93a429..e011d3f5f 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst @@ -208,10 +208,10 @@ val lemma_add_i16b (b1 b2:nat) (n1 n2:i16) : is_i16b (b1 + b2) (n1 +! n2))) let lemma_add_i16b (b1 b2:nat) (n1 n2:i16) = () - -#push-options "--z3rlimit 250" -let lemma_range_at_percent (v:int) (p:int{p>0/\ p%2=0 /\ v < p/2 /\ v >= -p / 2}): - Lemma (v @% p == v) = () +#push-options "--z3rlimit 50" +let lemma_range_at_percent (v:int) (p:int{p>0 /\ p%2=0 /\ v < p/2 /\ v >= -p / 2}): + Lemma (v @% p == v) = + if v % p >= p/2 then () else () #pop-options val lemma_sub_i16b (b1 b2:nat) (n1 n2:i16) : @@ -235,9 +235,9 @@ let mont_red_i32 (x:i32) : i16 = let vhigh = cast (x >>! 16l) <: i16 in vhigh -. k_times_modulus -#push-options "--z3rlimit 250" +#push-options "--z3rlimit 550" let lemma_at_percent_mod (v:int) (p:int{p>0/\ p%2=0}): - Lemma ((v @% p) % p == v % p) = () + Lemma ((v @% p) % p == v % p) = if v % p >= p/2 then () else () #pop-options let lemma_div_at_percent (v:int) (p:int{p>0/\ p%2=0 /\ (v/p) < p/2 /\ (v/p) >= -p / 2}): From f77fcb1a7e1f39914193637c3b1a0144e022e4ad Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 19 Sep 2024 14:04:56 +0200 Subject: [PATCH 12/19] fix specs --- libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst index dabcb0f5c..2da9b3af4 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst @@ -121,6 +121,7 @@ let poly_inv_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) = let b = field_mul b_minus_a zetas.[sz i] in (a,b) +#push-options "--z3rlimit 150" let poly_inv_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial = let len = pow2 l in let k = (256 / len) - 1 in @@ -130,6 +131,7 @@ let poly_inv_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial = let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in let (a_ntt, b_ntt) = poly_inv_ntt_step p.[sz idx0] p.[sz idx1] (k - round) in if idx < len then a_ntt else b_ntt) +#pop-options val poly_inv_ntt: polynomial -> polynomial let poly_inv_ntt p = From fc84fe88d330ea590d3d4e87d2a111996310904b Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Wed, 25 Sep 2024 17:06:12 +0200 Subject: [PATCH 13/19] progress --- .../fstar-bitvec/BitVec.Intrinsics.fsti | 116 +- fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 22 + .../Libcrux_intrinsics.Avx2_extract.fst | 1215 ++++++++++++++++- .../Libcrux_intrinsics.Avx2_extract.fsti | 32 +- libcrux-intrinsics/src/avx2_extract.rs | 13 + libcrux-ml-kem/hax.py | 1 + .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 501 ++++--- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 168 ++- libcrux-ml-kem/src/vector/avx2/serialize.rs | 665 ++++----- 9 files changed, 2112 insertions(+), 621 deletions(-) diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti index 6d866e472..a101013a6 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti @@ -8,22 +8,29 @@ open BitVec.Equality open Tactics.Utils (*** The intrinsics *) - let mm256_slli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit >= v shift - then vec (i - v shift) - else 0) + if nth_bit >= v shift then vec (i - v shift) else 0) let mm256_srli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 = mk_bv (fun i -> let nth_bit = i % 16 in if nth_bit < 16 - v shift then vec (i + v shift) else 0) +let mm256_srli_epi64 (shift: i32 {v shift >= 0 /\ v shift <= 64}) (vec: bit_vec 256): bit_vec 256 + = mk_bv (fun i -> let nth_bit = i % 64 in + if nth_bit < 64 - v shift then vec (i + v shift) else 0) + let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 = mk_bv (fun i -> vec i) let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 = mk_bv (fun i -> vec (i + 128)) +let mm256_si256_from_two_si128 (lower upper: bit_vec 128): bit_vec 256 + = mk_bv (fun i -> if i < 128 then lower i else upper (i - 128)) + +let mm_loadu_si128 (bytes: t_Array u8 (sz 16)): bit_vec 128 + = mk_bv (fun i -> get_bit (Seq.index bytes (i / 8)) (sz (i % 8))) + let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32) : bit_vec 256 = mk_bv (fun i -> @@ -43,6 +50,18 @@ let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 ) +let mm_set_epi8 + (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: u8) + : bit_vec 128 + = mk_bv (fun i -> + let h (x: u8) = get_bit x (sz (i % 8)) in + match i / 8 with + | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 + | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 + | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 + | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 + ) + let mm256_set_epi8 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8) : bit_vec 256 @@ -61,12 +80,11 @@ let mm256_set_epi8 val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 - = mk_bv (fun i -> if i <= n then 1 else 0) + = mk_bv (fun i -> if i % 16 < n then 1 else 0) let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 = mk_bv (fun i -> if y i = 0 then 0 else x i) - - + let mm256_set1_epi16 (constant: i16) (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < `(mm256_set1_epi16_pow2_minus_one (`#x)) @@ -126,7 +144,7 @@ let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 = let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in if nth_bit >= shift then a (i - shift) else 0 ) - + // This is a very specialized version of mm256_mullo_epi16 let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = mk_bv (fun i -> @@ -136,6 +154,15 @@ let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = if nth_bit >= shift then a (i - shift) else 0 ) +// This is a very specialized version of mm256_mullo_epi16 +let mm256_mullo_epi16_specialized3 (a: bit_vec 256): bit_vec 256 = + mk_bv (fun i -> + let nth_bit = i % 16 in + let nth_i16 = i / 16 in + let shift = 6 - (nth_i16 % 4) * 2 in + if nth_bit >= shift then a (i - shift) else 0 + ) + // This term will be stuck, we don't know anything about it val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256 @@ -161,7 +188,15 @@ let mm256_mullo_epi16 | _ -> false then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a)) else - Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) + if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s + | _ -> false + then Tactics.exact (quote (mm256_mullo_epi16_specialized3 a)) + else + Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) )]result: bit_vec 256): bit_vec 256 = result let madd_rhs (n: nat {n < 16}) = @@ -212,12 +247,45 @@ let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 25 // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` x (i - n + 16) ) - + +let mm256_concat_pairs_n + (n: u8 {v n < 16}) + (x: bit_vec 256 {forall (i: nat {i < 256}). i % 16 < v n || x i = 0}) = + mm256_madd_epi16_specialized' x (v n) + let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0) then mm256_madd_epi16_specialized' x n else mm256_madd_epi16_no_semantic x (madd_rhs n) +val mm_shuffle_epi8_no_semantics (a b: bit_vec 128): bit_vec 128 +let mm_shuffle_epi8_u8 (a: bit_vec 128) (b: list int {List.Tot.length b == 16}): bit_vec 128 = + mk_bv (fun i -> + let nth = i / 8 in + let index = List.Tot.index b (15 - nth) in + if index < 0 then 0 + else let index = index % 16 in + a (index * 8 + i % 8 + i / 128 * 128)) + +let mm_shuffle_epi8 + (x y: bit_vec 128) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 -> + mm_set_epi8 + (UInt8.uint_to_t x0 ) (UInt8.uint_to_t x1 ) (UInt8.uint_to_t x2 ) (UInt8.uint_to_t x3 ) (UInt8.uint_to_t x4 ) (UInt8.uint_to_t x5 ) (UInt8.uint_to_t x6 ) (UInt8.uint_to_t x7 ) + (UInt8.uint_to_t x8 ) (UInt8.uint_to_t x9 ) (UInt8.uint_to_t x10) (UInt8.uint_to_t x11) (UInt8.uint_to_t x12) (UInt8.uint_to_t x13) (UInt8.uint_to_t x14) (UInt8.uint_to_t x15))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] -> + `(mm_shuffle_epi8_u8 (`@x) + (mk_list_16 + (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) + (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15))) + | _ -> quote (mm_shuffle_epi8_no_semantics x y) in + exact t + )]result: bit_vec 128) + : bit_vec 128 + = result + val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 = mk_bv (fun i -> @@ -274,6 +342,30 @@ let mm256_permutevar8x32_epi32 : bit_vec 256 = result +val mm256_sllv_epi32_no_semantics (x y: bit_vec 256): bit_vec 256 +let mm256_sllv_epi32_i32 (vec: bit_vec 256) (counts: list _ {List.Tot.length counts == 8}): bit_vec 256 + = mk_bv (fun i -> let nth_bit = i % 32 in + let shift = List.Tot.index counts (7 - i / 32) in + if shift >= 0 && nth_bit >= shift then vec (i - shift) else 0) + +let mm256_sllv_epi32 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> + mm256_set_epi32 + (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) + (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> + `(mm256_sllv_epi32_i32 (`@x) + (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) + | _ -> quote (mm256_sllv_epi32_no_semantics x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + + let mm256_madd_epi16 (x y: bit_vec 256) (#[( @@ -285,7 +377,9 @@ let mm256_madd_epi16 : bit_vec 256 = result -val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128): t_Slice u8 +val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128) + // : r: t_Array u8 (sz 16) {forall i. vec i == get_bit (Seq.index r (i / 8)) (sz (i % 8))} + : r: t_Array u8 (sz 16) {forall i. vec i == bit_vec_of_int_t_array r 8 i} open FStar.Stubs.Tactics.V2.Builtins open FStar.Stubs.Tactics.V2 diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst index 360b2424e..d5fc1de31 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst +++ b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst @@ -13,6 +13,12 @@ let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 assert_norm (List.Tot.length l == 32); l +let mk_list_16 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: a) + : (l:list a {List.Tot.length l == 16}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] in + assert_norm (List.Tot.length l == 16); + l + let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) : (l:list a {List.Tot.length l == 8}) = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in @@ -35,3 +41,19 @@ let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) then get_bit x (mk_int (bits t - 1)) else 0)) = () + +unfold type forall_sig (n: nat) = pred: ((i:nat{i < n}) -> bool) + -> r: bool {r <==> (forall i. pred i)} + +let forall8: forall_sig 8 = fun pred -> pred 0 && pred 1 && pred 2 && pred 3 + && pred 4 && pred 5 && pred 6 && pred 7 + +#push-options "--z3rlimit 400" +let forall16: forall_sig 16 = fun pred -> forall8 pred && forall8 (fun i -> pred (i + 8)) +let forall32: forall_sig 32 = fun pred -> forall16 pred && forall16 (fun i -> pred (i + 16)) +let forall64: forall_sig 64 = fun pred -> forall32 pred && forall32 (fun i -> pred (i + 32)) +let forall128: forall_sig 128 = fun pred -> forall64 pred && forall64 (fun i -> pred (i + 64)) +let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i -> pred (i + 128)) +#pop-options + +let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst index 0428a32bc..167d0b324 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst @@ -3,9 +3,1212 @@ module Libcrux_intrinsics.Avx2_extract open Core open FStar.Mul -include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} -val lemma_mm256_set1_epi16 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_and_si256"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_castsi128_si256"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_extracti128_si256"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_madd_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_mullo_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_slli_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_srli_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm_movemask_epi8"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm_packs_epi16"); disambiguator = 0 + } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm_storeu_bytes_si128"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 272f5a4f3..2e260a6be 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -67,28 +67,22 @@ val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permutevar8x32_epi32 (vector control: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_permutevar8x32_epi32} val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_set_epi32} -val mm256_set_epi8 - (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: - i8) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_set_epi8} val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_shuffle_epi8 (vector control: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_shuffle_epi8} val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -96,8 +90,7 @@ val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_sllv_epi32 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_sllv_epi32} val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 @@ -114,9 +107,6 @@ val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) @@ -154,7 +144,7 @@ val mm_add_epi16 (lhs rhs: t_Vec128) vec128_as_i16x8 result == Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) -val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm_loadu_si128} val mm_mulhi_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 @@ -184,13 +174,9 @@ val mm_set1_epi16 (constant: i16) let result:t_Vec128 = result in vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) -val mm_set_epi8 - (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: - u8) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm_set_epi8} -val mm_shuffle_epi8 (vector control: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm_shuffle_epi8} include BitVec.Intrinsics {mm_storeu_bytes_si128} @@ -248,6 +234,8 @@ include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} +include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64} + include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index 5710c9675..1ff39a14c 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -54,6 +54,7 @@ pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_loadu_si128}")] pub fn mm_loadu_si128(input: &[u8]) -> Vec128 { debug_assert_eq!(input.len(), 16); unimplemented!() @@ -73,6 +74,7 @@ pub fn mm256_setzero_si256() -> Vec256 { unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_set_epi8}")] pub fn mm_set_epi8( byte15: u8, byte14: u8, @@ -94,6 +96,7 @@ pub fn mm_set_epi8( unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi8}")] pub fn mm256_set_epi8( byte31: i8, byte30: i8, @@ -188,6 +191,8 @@ pub fn mm_set1_epi16(constant: i16) -> Vec128 { pub fn mm256_set1_epi32(constant: i32) -> Vec256 { unimplemented!() } + +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi32}")] pub fn mm256_set_epi32( input7: i32, input6: i32, @@ -324,6 +329,10 @@ pub fn mm256_srli_epi32(vector: Vec256) -> Vec256 { unimplemented!() } +#[hax_lib::fstar::replace( + interface, + "include BitVec.Intrinsics {mm256_srli_epi64 as ${mm256_srli_epi64::<0>}}" +)] pub fn mm256_srli_epi64(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() @@ -343,9 +352,11 @@ pub fn mm256_slli_epi32(vector: Vec256) -> Vec256 { unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_shuffle_epi8}")] pub fn mm_shuffle_epi8(vector: Vec128, control: Vec128) -> Vec128 { unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_shuffle_epi8}")] pub fn mm256_shuffle_epi8(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } @@ -424,10 +435,12 @@ pub fn mm_movemask_epi8(vector: Vec128) -> i32 { unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_permutevar8x32_epi32}")] pub fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_sllv_epi32}")] pub fn mm256_sllv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index 062f62026..d5f025639 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -98,6 +98,7 @@ def __call__(self, parser, args, values, option_string=None) -> None: "simd128,simd256,pre-verification", ";", "into", + "-vv", "-i", include_str, "fstar", diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index b0c0cc4cb..17a177cf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -9,17 +9,10 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -let deserialize_1_ (bytes: t_Slice u8) = +[@@"opaque_to_smt"] +let deserialize_1___deserialize_1_i16s (a b: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16) - (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) - (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) - (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) - (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) - (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) - (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) - (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) - (cast (bytes.[ sz 0 ] <: u8) <: i16) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a in let coefficients_in_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients @@ -30,178 +23,21 @@ let deserialize_1_ (bytes: t_Slice u8) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb - in - let _:Prims.unit = - let bv = bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 in - FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 256}). - (if i % 16 = 0 then bv i else 0) == result i) - (fun _ -> - (); - (let open FStar.Tactics in - let open Tactics.Utils in - let light_norm () = - norm [ - iota; - primops; - delta_namespace [ - `%cast; - `%cast_tc_integers; - `%bit_vec_of_int_t_array; - `%Rust_primitives.Hax.array_of_list; - "FStar.FunctionalExtensionality"; - `%bits; - `%Lib.IntTypes.bits - ] - ] - in - light_norm (); - prove_forall_nat_pointwise (print_time "SMT query succeeded in " - (fun _ -> - light_norm (); - Tactics.Seq.norm_index (); - norm [ - iota; - primops; - zeta_full; - delta_namespace ["FStar"; "BitVec"]; - unascribe - ]; - (let open Tactics.MachineInts in transform norm_machine_int_term); - norm [iota; primops; zeta; delta]; - dump' "Goal:"; - smt_sync ())))) - in - result + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb -let deserialize_10_ (bytes: t_Slice u8) = - let shift_lsbs_to_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - (); - (let open FStar.Tactics in - let open Tactics.Utils in - let light_norm () = - norm [ - iota; - primops; - delta_namespace [ - `%cast; - `%cast_tc_integers; - `%bit_vec_of_int_t_array; - `%Rust_primitives.Hax.array_of_list; - "FStar.FunctionalExtensionality"; - `%bits; - `%Lib.IntTypes.bits - ] - ] - in - light_norm (); - prove_forall_nat_pointwise (print_time "SMT query succeeded in " - (fun _ -> - light_norm (); - Tactics.Seq.norm_index (); - norm [ - iota; - primops; - zeta_full; - delta_namespace ["FStar"; "BitVec"]; - unascribe - ]; - (let open Tactics.MachineInts in transform norm_machine_int_term); - norm [ - iota; - primops; - zeta_full; - delta_namespace ["FStar"; "BitVec"]; - unascribe - ]; - dump' "Goal:"; - smt_sync ())))) - in - result + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients_in_lsb + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s < lower_8_ i = vector ((i / 10) * 16 + i % 10)) && + BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) + in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } @@ -720,6 +500,189 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) +[@@"opaque_to_smt"] +let deserialize_10___deserialize_10_vec + (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) + = + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 9uy 8uy 8uy 7uy 7uy 6uy 6uy 5uy 4uy 3uy 3uy 2uy + 2uy 1uy 1uy 0uy + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 13uy 12uy 12uy 11uy 10uy 9uy + 9uy 8uy 8uy 7uy 7uy 6uy + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_si256_from_two_si128 lower_coefficients upper_coefficients + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + coefficients i = + (if i % 16 < 10 + then + let j = (i / 16) * 10 + i % 16 in + if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32) + else 0))) + in + coefficients + +let deserialize_10_ (bytes: t_Slice u8) = + let lower_coefficients:t_Slice u8 = + bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize ] + in + let upper_coefficients:t_Slice u8 = + bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 20 } + <: + Core.Ops.Range.t_Range usize ] + in + let coefficients = deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 upper_coefficients + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) in + coefficients + + // assert ( + // forall (i: nat{i < 256}). + // coefficients i = + // (if i % 16 >= 10 then 0 + // elsex + // let j = (i / 16) * 10 + i % 16 in + // if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) + +[@@"opaque_to_smt"] +let deserialize_12___deserialize_12_vec + (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) + = + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 11uy 10uy 10uy 9uy 8uy 7uy 7uy 6uy 5uy 4uy 4uy + 3uy 2uy 1uy 1uy 0uy + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy + 8uy 7uy 6uy 5uy 5uy 4uy + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_si256_from_two_si128 lower_coefficients upper_coefficients + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + coefficients i = + (if i % 16 < 12 + then + let j = (i / 16) * 12 + i % 16 in + if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64) + else 0))) + in + coefficients + +let deserialize_12_ (bytes: t_Slice u8) = + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 24 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients + +let deserialize_5_ (bytes: t_Slice u8) = + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8) + (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8) + (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8) + (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8) + (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8) + in + let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_si256_from_two_si128 coefficients coefficients + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y + 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 >= 1 + then 0 + else + let j = (i / 16) * 1 + i % 16 in + if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) + +val deserialize_1___deserialize_1_u8s (a b: u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + Prims.l_True + (ensures + fun coefficients -> + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 >= 1 + then 0 + else + let j = (i / 16) * 1 + i % 16 in + if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) + val deserialize_1_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2) + (ensures + fun coefficients -> + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 >= 1 + then 0 + else + let j = (i / 16) * 1 + i % 16 in + bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j)) -val deserialize_10_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + Prims.l_True + (ensures + fun coefficients -> + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 < 4 + then + let j = (i / 16) * 4 + i % 16 in + (match i / 32 with + | 0 -> get_bit b0 (sz j) + | 1 -> get_bit b1 (sz (j - 8)) + | 2 -> get_bit b2 (sz (j - 16)) + | 3 -> get_bit b3 (sz (j - 24)) + | 4 -> get_bit b4 (sz (j - 32)) + | 5 -> get_bit b5 (sz (j - 40)) + | 6 -> get_bit b6 (sz (j - 48)) + | 7 -> get_bit b7 (sz (j - 56))) + else 0)) -val deserialize_12_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + Prims.l_True + (ensures + fun coefficients -> + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 < 4 + then + let j = (i / 16) * 4 + i % 16 in + (match i / 32 with + | 0 -> get_bit b0 (sz j) + | 1 -> get_bit b1 (sz (j - 8)) + | 2 -> get_bit b2 (sz (j - 16)) + | 3 -> get_bit b3 (sz (j - 24)) + | 4 -> get_bit b4 (sz (j - 32)) + | 5 -> get_bit b5 (sz (j - 40)) + | 6 -> get_bit b6 (sz (j - 48)) + | 7 -> get_bit b7 (sz (j - 56))) + else 0)) val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in + forall (i: nat{i < 256}). + result i = + (if i % 16 >= 4 + then 0 + else + let j = (i / 16) * 4 + i % 16 in + bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j)) -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_concat_pairs_n} val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 20)) + (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) + (ensures + fun r -> + let r:t_Array u8 (sz 20) = r in + forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) @@ -43,6 +133,66 @@ val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (requires BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0)) (fun _ -> Prims.l_True) +include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128} + +val deserialize_10___deserialize_10_vec + (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + Prims.l_True + (ensures + fun coefficients -> + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 >= 10 then 0 + else + let j = (i / 16) * 10 + i % 16 in + if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) + +val deserialize_10_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + (requires Seq.length bytes == 20) + (ensures + fun result -> + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in + forall (i: nat{i < 256}). + result i = + (if i % 16 >= 10 + then 0 + else + let j = (i / 16) * 10 + i % 16 in + bit_vec_of_int_t_array (bytes <: t_Array _ (sz 20)) 8 j)) + +val deserialize_12___deserialize_12_vec + (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + Prims.l_True + (ensures + fun coefficients -> + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in + forall (i: nat{i < 256}). + coefficients i = + (if i % 16 >= 12 then 0 + else let j = (i / 16) * 12 + i % 16 in + if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64))) + +val deserialize_12_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + (requires Seq.length bytes == 24) + (ensures + fun result -> + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in + forall (i: nat{i < 256}). + result i = + (if i % 16 >= 12 + then 0 + else + let j = (i / 16) * 12 + i % 16 in + bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j)) + +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 03d042950..25384cb65 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -102,113 +102,101 @@ assert (forall (i: nat {i < 16}). bv i == ${vector} (i * 16)) by ( } #[inline(always)] +#[hax_lib::requires(bytes.len() == 2)] +#[hax_lib::ensures(|coefficients| fstar!( + r#"forall (i:nat{i < 256}). + $coefficients i + = ( if i % 16 >= 1 then 0 + else let j = (i / 16) * 1 + i % 16 in + bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 2)) 8 j)) +"# +))] +#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { - // We need to take each bit from the 2 bytes of input and put them - // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, - // duplicate them, and right-shift the 0th element by 0 bits, - // the first element by 1 bit, the second by 2 bits and so on before AND-ing - // with 0x1 to leave only the least signifinicant bit. - // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a - // workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bit we're interested in becomes the most - // significant bit. - - // The coefficients are loaded as follows: - let coefficients = mm256_set_epi16( - bytes[1] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[0] as i16, - bytes[0] as i16, - bytes[0] as i16, - bytes[0] as i16, - bytes[0] as i16, - bytes[0] as i16, - bytes[0] as i16, - bytes[0] as i16, - ); - - // And this vector, when multiplied with the previous one, ensures that the - // bit we'd like to keep in each lane becomes the most significant bit upon - // multiplication. - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - ), - ); - - // Now that they're all in the most significant bit position, shift them - // down to the least significant bit. - let result = mm256_srli_epi16::<15>(coefficients_in_msb); - - hax_lib::fstar!( - r#" -let bv = bit_vec_of_int_t_array (${bytes} <: t_Array _ (sz 2)) 8 in -assert (forall (i: nat {i < 256}). (if i % 16 = 0 then bv i else 0) == result i) by ( - let open FStar.Tactics in - let open Tactics.Utils in - let light_norm () = - // simplify the term: compute `+/*+` on ints, remove cast/array_of_list/funext indirections - norm [ iota; primops - ; delta_namespace [ - `%cast; `%cast_tc_integers - ; `%bit_vec_of_int_t_array - ; `%Rust_primitives.Hax.array_of_list - ; "FStar.FunctionalExtensionality" - ; `%bits;`%Lib.IntTypes.bits - ] - ] in - light_norm (); - // instantiate the forall with concrete values, and run a tactic for each possible values - prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> - light_norm (); - // norm index rewrites `Seq.index (Seq.seq_of_list ...) N` or - // `List.Tot.index ... N` when we have list literals - Tactics.Seq.norm_index (); - // Reduce more aggressively - norm [iota; primops; zeta_full; - delta_namespace [ - "FStar"; - "BitVec"; - ]; unascribe - ]; - // Rewrite and normalize machine integers, hopefully in ints - Tactics.MachineInts.(transform norm_machine_int_term); - // norm: primops to get rid of >=, <=, +, *, -, etc. - // zeta delta iota: normalize bitvectors - norm [iota; primops; zeta; delta]; - dump' "Goal:"; - // ask the smt to solve now - smt_sync () - )) -) + #[hax_lib::ensures(|coefficients| fstar!( + r#"forall (i:nat{i < 256}). + $coefficients i + = ( if i % 16 >= 1 then 0 + else let j = (i / 16) * 1 + i % 16 in + if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) "# - ); + ))] + #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + #[inline(always)] + pub(crate) fn deserialize_1_u8s(a: u8, b: u8) -> Vec256 { + deserialize_1_i16s(a as i16, b as i16) + } + + #[hax_lib::ensures(|coefficients| fstar!( + r#"forall (i:nat{i < 256}). + $coefficients i + = ( if i % 16 >= 1 then 0 + else let j = (i / 16) * 1 + i % 16 in + if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) +"# + ))] + #[inline(always)] + #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + pub(crate) fn deserialize_1_i16s(a: i16, b: i16) -> Vec256 { + // We need to take each bit from the 2 bytes of input and put them + // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, + // duplicate them, and right-shift the 0th element by 0 bits, + // the first element by 1 bit, the second by 2 bits and so on before AND-ing + // with 0x1 to leave only the least signifinicant bit. + // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a + // workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bit we're interested in becomes the most + // significant bit. + // The coefficients are loaded as follows: + let coefficients = mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); + + // And this vector, when multiplied with the previous one, ensures that the + // bit we'd like to keep in each lane becomes the most significant bit upon + // multiplication. + let coefficients_in_msb = mm256_mullo_epi16( + coefficients, + mm256_set_epi16( + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + ), + ); + + // Now that they're all in the most significant bit position, shift them + // down to the least significant bit. + mm256_srli_epi16::<15>(coefficients_in_msb) + } + + deserialize_1_u8s(bytes[0], bytes[1]) +} - result +/// `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets +/// of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of +/// 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last +/// `n` bits are non-zero). +#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_concat_pairs_n}")] +#[inline(always)] +fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { + let n = 1 << n; + mm256_madd_epi16( + x, + mm256_set_epi16(n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1), + ) } #[hax_lib::requires( @@ -318,112 +306,119 @@ assert (forall (i: nat {i < 64}). serialized[0..8].try_into().unwrap() } -#[hax_lib::requires(bytes.len() == 8)] #[inline(always)] +#[hax_lib::requires(bytes.len() == 8)] +#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). + $result i = (if i % 16 >= 4 then 0 + else let j = (i / 16) * 4 + i % 16 in + bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 8)) 8 j)"#))] +#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { - // Every 4 bits from each byte of input should be put into its own 16-bit lane. - // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bits we're interested in become the most - // significant bits (of an 8-bit value). - let coefficients = mm256_set_epi16( - // In this lane, the 4 bits we need to put are already the most - // significant bits of |bytes[7]|. - bytes[7] as i16, - // In this lane, the 4 bits we need to put are the least significant bits, - // so we need to shift the 4 least-significant bits of |bytes[7]| to the - // most significant bits (of an 8-bit value). - bytes[7] as i16, - // and so on ... - bytes[6] as i16, - bytes[6] as i16, - bytes[5] as i16, - bytes[5] as i16, - bytes[4] as i16, - bytes[4] as i16, - bytes[3] as i16, - bytes[3] as i16, - bytes[2] as i16, - bytes[2] as i16, - bytes[1] as i16, - bytes[1] as i16, - bytes[0] as i16, - bytes[0] as i16, - ); - - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - // These constants are chosen to shift the bits of the values - // that we loaded into |coefficients|. - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - - // Once the 4-bit coefficients are in the most significant positions (of - // an 8-bit value), shift them all down by 4. - let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); - - // Zero the remaining bits. - let result = mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)); - - hax_lib::fstar!( - r#" -let bv = bit_vec_of_int_t_array (${bytes} <: t_Array _ (sz 8)) 8 in -assert (forall (i: nat {i < 64}). bv i == ${result} ((i / 4) * 16 + i % 4)) by ( - let open FStar.Tactics in - let open Tactics.Utils in - let light_norm () = - norm [ iota; primops - ; delta_namespace [ - `%cast; `%cast_tc_integers - ; `%bit_vec_of_int_t_array - ; `%Rust_primitives.Hax.array_of_list - ; "FStar.FunctionalExtensionality" - ; `%bits;`%Lib.IntTypes.bits - ] - ] in - light_norm (); - prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> - light_norm (); - Tactics.Seq.norm_index (); - norm [iota; primops; zeta_full; - delta_namespace [ - "FStar"; - "BitVec"; - ]; unascribe - ]; - Tactics.MachineInts.(transform norm_machine_int_term); - norm [iota; primops; zeta_full; - delta_namespace [ - "FStar"; - "BitVec"; - ]; unascribe - ]; - dump' "Goal:"; - smt_sync () - )) -) + #[hax_lib::ensures(|coefficients| fstar!( + r#"forall (i:nat{i < 256}). + $coefficients i + = ( if i % 16 < 4 + then let j = (i / 16) * 4 + i % 16 in + (match i / 32 with + | 0 -> get_bit $b0 (sz j) + | 1 -> get_bit $b1 (sz (j - 8)) + | 2 -> get_bit $b2 (sz (j - 16)) + | 3 -> get_bit $b3 (sz (j - 24)) + | 4 -> get_bit $b4 (sz (j - 32)) + | 5 -> get_bit $b5 (sz (j - 40)) + | 6 -> get_bit $b6 (sz (j - 48)) + | 7 -> get_bit $b7 (sz (j - 56))) + else 0) "# - ); - - result + ))] + #[inline(always)] + #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + fn deserialize_4_u8s(b0: u8, b1: u8, b2: u8, b3: u8, b4: u8, b5: u8, b6: u8, b7: u8) -> Vec256 { + deserialize_4_i16s( + b0 as i16, b1 as i16, b2 as i16, b3 as i16, b4 as i16, b5 as i16, b6 as i16, b7 as i16, + ) + } + + #[hax_lib::ensures(|coefficients| fstar!( + r#"forall (i:nat{i < 256}). + $coefficients i + = ( if i % 16 < 4 + then let j = (i / 16) * 4 + i % 16 in + (match i / 32 with + | 0 -> get_bit $b0 (sz j) + | 1 -> get_bit $b1 (sz (j - 8)) + | 2 -> get_bit $b2 (sz (j - 16)) + | 3 -> get_bit $b3 (sz (j - 24)) + | 4 -> get_bit $b4 (sz (j - 32)) + | 5 -> get_bit $b5 (sz (j - 40)) + | 6 -> get_bit $b6 (sz (j - 48)) + | 7 -> get_bit $b7 (sz (j - 56))) + else 0) +"# + ))] + #[inline(always)] + #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + fn deserialize_4_i16s( + b0: i16, + b1: i16, + b2: i16, + b3: i16, + b4: i16, + b5: i16, + b6: i16, + b7: i16, + ) -> Vec256 { + // Every 4 bits from each byte of input should be put into its own 16-bit lane. + // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bits we're interested in become the most + // significant bits (of an 8-bit value). + let coefficients = mm256_set_epi16( + // In this lane, the 4 bits we need to put are already the most + // significant bits of |bytes[7]| (that is, b7). + b7, + // In this lane, the 4 bits we need to put are the least significant bits, + // so we need to shift the 4 least-significant bits of |b7| to the + // most significant bits (of an 8-bit value). + b7, // and so on ... + b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0, + ); + let coefficients_in_msb = mm256_mullo_epi16( + coefficients, + mm256_set_epi16( + // These constants are chosen to shift the bits of the values + // that we loaded into |coefficients|. + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ), + ); + + // Once the 4-bit coefficients are in the most significant positions (of + // an 8-bit value), shift them all down by 4. + let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); + + // Zero the remaining bits. + mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) + } + + deserialize_4_u8s( + bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7], + ) } #[inline(always)] @@ -523,6 +518,22 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { serialized[0..10].try_into().unwrap() } +/// We cannot model `mm256_inserti128_si256` on its own: it produces a +/// Vec256 where the upper 128 bits are undefined. Thus +/// `mm256_inserti128_si256` is not pure. +/// +/// Luckily, we always call `mm256_castsi128_si256` right after +/// `mm256_inserti128_si256`: this composition sets the upper bits, +/// making the whole computation pure again. +#[inline(always)] +#[hax_lib::fstar::replace( + interface, + "include BitVec.Intrinsics {mm256_si256_from_two_si128 as ${mm256_si256_from_two_si128}}" +)] +fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 { + mm256_inserti128_si256::<1>(mm256_castsi128_si256(lower), upper) +} + #[inline(always)] pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { let coefficients = mm_set_epi8( @@ -530,8 +541,7 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { bytes[3], bytes[3], bytes[2], bytes[2], bytes[1], bytes[1], bytes[0], ); - let coefficients_loaded = mm256_castsi128_si256(coefficients); - let coefficients_loaded = mm256_inserti128_si256::<1>(coefficients_loaded, coefficients); + let coefficients_loaded = mm256_si256_from_two_si128(coefficients, coefficients); let coefficients = mm256_shuffle_epi8( coefficients_loaded, @@ -566,6 +576,8 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { } #[inline(always)] +#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] +#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))] pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { let mut serialized = [0u8; 32]; @@ -582,27 +594,7 @@ pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ // .... - let adjacent_2_combined = mm256_madd_epi16( - vector, - mm256_set_epi16( - 1 << 10, - 1, - 1 << 10, - 1, - 1 << 10, - 1, - 1 << 10, - 1, - 1 << 10, - 1, - 1 << 10, - 1, - 1 << 10, - 1, - 1 << 10, - 1, - ), - ); + let adjacent_2_combined = mm256_concat_pairs_n(10, vector); // Shifting up the values at the even indices by 12, we get: // @@ -649,51 +641,90 @@ pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { // and 64 bits starting at position 0 in the upper 128-bit lane. let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + hax_lib::fstar!( + r#" + assert_norm ( + BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ( (i/10) * 16 + i%10)) + && BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i/10) * 16 + i%10)) + ) + "# + ); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); serialized[0..20].try_into().unwrap() } #[inline(always)] +#[hax_lib::requires(fstar!(r#"Seq.length bytes == 20"#))] +#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). + $result i = (if i % 16 >= 10 then 0 + else let j = (i / 16) * 10 + i % 16 in + bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 20)) 8 j)"#))] pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 { - let shift_lsbs_to_msbs = mm256_set_epi16( - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - ); - - let lower_coefficients = mm_loadu_si128(&bytes[0..16]); - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients, - mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), - ); - let upper_coefficients = mm_loadu_si128(&bytes[4..20]); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients, - mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), - ); - - let coefficients = mm256_castsi128_si256(lower_coefficients); - let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); - let coefficients = mm256_srli_epi16::<6>(coefficients); - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); - - coefficients + #[inline(always)] + #[hax_lib::ensures(|coefficients| fstar!(r#" +forall (i: nat {i < 256}). + $coefficients i + = ( if i % 16 >= 10 then 0 + else let j = (i / 16) * 10 + i % 16 in + if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32))) +"#))] + #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + fn deserialize_10_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients0, + mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), + ); + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients0, + mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), + ); + + let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16( + coefficients, + mm256_set_epi16( + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + ), + ); + let coefficients = mm256_srli_epi16::<6>(coefficients); + // Here I can prove this `and` is not useful + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); + hax_lib::fstar!( + r#" +assert_norm(BitVec.Utils.forall256 (fun i -> + $coefficients i + = ( if i % 16 < 10 + then let j = (i / 16) * 10 + i % 16 in + if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32) + else 0))) +"# + ); + coefficients + } + + let lower_coefficients = &bytes[0..16]; + let upper_coefficients = &bytes[4..20]; + deserialize_10_vec( + mm_loadu_si128(lower_coefficients), + mm_loadu_si128(upper_coefficients), + ) } #[inline(always)] @@ -759,43 +790,69 @@ pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { } #[inline(always)] +#[hax_lib::requires(fstar!(r#"Seq.length bytes == 24"#))] +#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). + $result i = (if i % 16 >= 12 then 0 + else let j = (i / 16) * 12 + i % 16 in + bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 24)) 8 j)"#))] pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 { - let shift_lsbs_to_msbs = mm256_set_epi16( - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ); - + #[inline(always)] + #[hax_lib::ensures(|coefficients| fstar!(r#" +forall (i: nat {i < 256}). + $coefficients i + = ( if i % 16 >= 12 then 0 + else let j = (i / 16) * 12 + i % 16 in + if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64))) +"#))] + #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] + fn deserialize_12_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients0, + mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), + ); + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients0, + mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), + ); + + let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16( + coefficients, + mm256_set_epi16( + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ), + ); + let coefficients = mm256_srli_epi16::<4>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); + hax_lib::fstar!( + r#" +assert_norm(BitVec.Utils.forall256 (fun i -> + $coefficients i + = ( if i % 16 < 12 + then let j = (i / 16) * 12 + i % 16 in + if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64) + else 0))) +"# + ); + coefficients + } let lower_coefficients = mm_loadu_si128(&bytes[0..16]); - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients, - mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), - ); let upper_coefficients = mm_loadu_si128(&bytes[8..24]); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients, - mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), - ); - - let coefficients = mm256_castsi128_si256(lower_coefficients); - let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); - let coefficients = mm256_srli_epi16::<4>(coefficients); - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); - - coefficients + deserialize_12_vec(lower_coefficients, upper_coefficients) } From 096b016abae8cc59e1a2bccea1dec27d2e8852d9 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Wed, 25 Sep 2024 18:39:43 +0200 Subject: [PATCH 14/19] progress --- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 148 +++--------------- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 18 ++- libcrux-ml-kem/src/vector/avx2/serialize.rs | 86 +++------- 3 files changed, 56 insertions(+), 196 deletions(-) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 17a177cf7..f092e34e3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -80,6 +80,8 @@ let deserialize_4_ (bytes: t_Slice u8) = (bytes.[ sz 6 ] <: u8) (bytes.[ sz 7 ] <: u8) +#push-options "--ext context_pruning --compat_pre_core 0" + let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector @@ -93,6 +95,16 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs in + let _:Prims.unit = + let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in + FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}). + bits_packed' i = vector ((i / 1) * 16 + i % 1)) + (fun _ -> + (); + (Tactics.Utils.prove_forall_nat_pointwise (fun _ -> + Tactics.compute (); + Tactics.smt_sync ()))) + in let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in let result:t_Array u8 (sz 2) = let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in @@ -100,55 +112,12 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = Rust_primitives.Hax.array_of_list 2 list in let _:Prims.unit = - let bv = bit_vec_of_int_t_array result 8 in - FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}). bv i == vector (i * 16)) - (fun _ -> - (); - (let open FStar.Tactics in - let open Tactics.Utils in - prove_forall_nat_pointwise (print_time "SMT query succeeded in " - (fun _ -> - let light_norm () = - norm [ - iota; - primops; - delta_only [ - `%cast; - `%cast_tc_integers; - `%bit_vec_of_int_t_array; - `%Rust_primitives.Hax.array_of_list; - `%FunctionalExtensionality.on; - `%bits; - `%Lib.IntTypes.bits - ] - ] - in - light_norm (); - Tactics.Seq.norm_index (); - let _ = - repeatn 3 - (fun _ -> - l_to_r [ - `BitVec.Utils.rw_get_bit_cast; - `bit_vec_to_int_t_lemma; - `BitVec.Utils.rw_get_bit_shr - ]; - light_norm (); - (let open Tactics.MachineInts in transform norm_machine_int_term); - norm [ - primops; - iota; - zeta_full; - delta_only [`%BitVec.Intrinsics.mm_movemask_epi8] - ]) - in - norm [primops; iota; zeta_full; delta_namespace ["BitVec"; "FStar"]]; - smt_sync (); - smt ())))) + assert (forall (i: nat{i < 8}). + get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8))) in result -#restart-solver +#pop-options #push-options "--ext context_pruning" @@ -218,6 +187,7 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in + let _:Prims.unit = admit () in Core.Result.impl__unwrap #(t_Array u8 (sz 20)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) @@ -231,6 +201,8 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError) +#pop-options + let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -397,12 +369,7 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - (); - (let open FStar.Tactics in - let open Tactics.Utils in - norm [ - primops; - iota; - zeta; - delta_namespace [ - `%BitVec.Intrinsics.mm256_shuffle_epi8; - `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; - `%BitVec.Intrinsics.mm256_madd_epi16; - `%BitVec.Intrinsics.mm256_castsi256_si128; - "BitVec.Utils" - ] - ]; - prove_forall_nat_pointwise (print_time "SMT query succeeded in " - (fun _ -> - let reduce t = - norm [ - primops; - iota; - zeta_full; - delta_namespace [ - "FStar.FunctionalExtensionality"; - t; - `%BitVec.Utils.mk_bv; - `%( + ); - `%op_Subtraction; - `%( / ); - `%( * ); - `%( % ) - ] - ]; - norm [ - primops; - iota; - zeta_full; - delta_namespace [ - "FStar.List.Tot"; - `%( + ); - `%op_Subtraction; - `%( / ); - `%( * ); - `%( % ) - ] - ] - in - reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); - reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote - (BitVec.Intrinsics.forall_bool #256 - (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) - (`true); - flip (); - smt (); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); - trivial ())))) - in + assert_norm (BitVec.Utils.forall64 (fun i -> combined i = vector ((i / 4) * 16 + i % 4))); let serialized:t_Array u8 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined in @@ -562,22 +467,13 @@ let deserialize_10_ (bytes: t_Slice u8) = <: Core.Ops.Range.t_Range usize ] in - let coefficients = deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients + deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients <: Libcrux_intrinsics.Avx2_extract.t_Vec128) (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 upper_coefficients <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) in - coefficients - - // assert ( - // forall (i: nat{i < 256}). - // coefficients i = - // (if i % 16 >= 10 then 0 - // elsex - // let j = (i / 16) * 10 + i % 16 in - // if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) + Libcrux_intrinsics.Avx2_extract.t_Vec128) [@@"opaque_to_smt"] let deserialize_12___deserialize_12_vec diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti index f6c579f7a..47d08661d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti @@ -112,7 +112,12 @@ val deserialize_4_ (bytes: t_Slice u8) include BitVec.Intrinsics {mm256_concat_pairs_n} val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 2)) + (requires forall i. i % 16 >= 1 ==> vector i == 0) + (ensures + fun result -> + let result:t_Array u8 (sz 2) = result in + forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 20)) @@ -144,7 +149,8 @@ val deserialize_10___deserialize_10_vec let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in forall (i: nat{i < 256}). coefficients i = - (if i % 16 >= 10 then 0 + (if i % 16 >= 10 + then 0 else let j = (i / 16) * 10 + i % 16 in if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) @@ -172,9 +178,11 @@ val deserialize_12___deserialize_12_vec let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in forall (i: nat{i < 256}). coefficients i = - (if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64))) + (if i % 16 >= 12 + then 0 + else + let j = (i / 16) * 12 + i % 16 in + if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64))) val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 25384cb65..0207be3fc 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -2,6 +2,9 @@ use super::*; use crate::vector::portable::PortableVector; #[inline(always)] +#[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")] +#[hax_lib::requires(fstar!("forall i. i % 16 >= 1 ==> vector i == 0"))] +#[hax_lib::ensures(|result| fstar!("forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"))] pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // Suppose |vector| is laid out as follows (superscript number indicates the // corresponding bit is duplicated that many times): @@ -43,6 +46,19 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // 0xFF 0x00 0x00 0x00 | 0xFF 0x00 0x00 0x00 | 0x00 0x00 0x00 0x00 | 0x00 0x00 0x00 0xFF let msbs = mm_packs_epi16(low_msbs, high_msbs); + hax_lib::fstar!( + r#" +let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in + assert (forall (i: nat{i < 16}). bits_packed' i = $vector ((i / 1) * 16 + i % 1)) + by ( + Tactics.Utils.prove_forall_nat_pointwise (fun _ -> + Tactics.compute (); + Tactics.smt_sync () + ) + ) +"# + ); + // Now that every element is either 0xFF or 0x00, we just extract the most // significant bit from each element and collate them into two bytes. let bits_packed = mm_movemask_epi8(msbs); @@ -51,50 +67,7 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { hax_lib::fstar!( r#" -let bv = bit_vec_of_int_t_array ${result} 8 in -assert (forall (i: nat {i < 16}). bv i == ${vector} (i * 16)) by ( - let open FStar.Tactics in - let open Tactics.Utils in - prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> - let light_norm () = - // get rid of indirections (array_of_list, funext, casts, etc.) - norm [ iota; primops - ; delta_only [ - `%cast; `%cast_tc_integers - ; `%bit_vec_of_int_t_array - ; `%Rust_primitives.Hax.array_of_list - ; `%FunctionalExtensionality.on - ; `%bits;`%Lib.IntTypes.bits - ] - ] in - light_norm (); - // normalize List.index / Seq.index when we have literals - Tactics.Seq.norm_index (); - // here, we need to take care of (1) the cast and (2) the shift - // (introduced in `list`) and (3) bv<->i16 indirection - // introduced by `bit_vec_to_int_t`. Thus, we repeat the tactic - // three times. It's basically the same thing. - let _ = repeatn 3 (fun _ -> - // Try to rewrite any subterm using the following three lemmas (corresponding to (1) (3) and (2)) - l_to_r[`BitVec.Utils.rw_get_bit_cast; `bit_vec_to_int_t_lemma; `BitVec.Utils.rw_get_bit_shr]; - // get rid of useless indirections - light_norm (); - // after using those lemmas, more mk_int and v appears, let's get rid of those - Tactics.MachineInts.(transform norm_machine_int_term); - // Special treatment for case (3) - norm [primops; iota; zeta_full; delta_only [ - `%BitVec.Intrinsics.mm_movemask_epi8; - ]] - ) in - // Now we normalize away all the FunExt / mk_bv terms - norm [primops; iota; zeta_full; delta_namespace ["BitVec"; "FStar"]]; - // Ask the SMT to solve now - // dump' "Goal:"; - smt_sync (); - // dump' "Success"; - smt () - )) -) +assert (forall (i: nat {i < 8}). get_bit ($bits_packed >>! 8l <: i32) (sz i) == get_bit $bits_packed (sz (i + 8))) "# ); @@ -205,6 +178,7 @@ fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { ) )] #[inline(always)] +#[hax_lib::fstar::options("--ext context_pruning")] pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; @@ -216,27 +190,7 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // as follows: // // 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... - let adjacent_2_combined = mm256_madd_epi16( - vector, - mm256_set_epi16( - 1 << 4, - 1, - 1 << 4, - 1, - 1 << 4, - 1, - 1 << 4, - 1, - 1 << 4, - 1, - 1 << 4, - 1, - 1 << 4, - 1, - 1 << 4, - 1, - ), - ); + let adjacent_2_combined = mm256_concat_pairs_n(4, vector); // Recall that |adjacent_2_combined| goes as follows: // @@ -576,6 +530,7 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { } #[inline(always)] +#[hax_lib::fstar::options("--ext context_pruning")] #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] #[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))] pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { @@ -651,6 +606,7 @@ pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { ); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); + hax_lib::fstar!("admit()"); serialized[0..20].try_into().unwrap() } From 99cef83208c2c336b209210c34b231bd37eba387 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Wed, 25 Sep 2024 19:30:59 +0200 Subject: [PATCH 15/19] progress --- fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 8 +++ .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 37 +++++++++++--- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 7 ++- libcrux-ml-kem/src/vector/avx2/serialize.rs | 49 ++++--------------- 4 files changed, 53 insertions(+), 48 deletions(-) diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst index d5fc1de31..3d2d19c98 100644 --- a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst +++ b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst @@ -57,3 +57,11 @@ let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i - #pop-options let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true) + +let bit_vec_to_int_t_lemma + #t (d: num_bits t) (bv: bit_vec d) + i + : Lemma (get_bit (bit_vec_to_int_t d bv) (sz i) == bv i) + [SMTPat (get_bit (bit_vec_to_int_t d bv) (sz i))] + = bit_vec_to_int_t_lemma d bv i + diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index f092e34e3..e887f5ffe 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -119,7 +119,7 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options -#push-options "--ext context_pruning" +#push-options "--ext context_pruning --split_queries always --z3rlimit 300" let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in @@ -166,10 +166,6 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined in - let _:Prims.unit = - assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10)) && - BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } @@ -187,7 +183,24 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - let _:Prims.unit = admit () in + assert (forall (i: nat{i < 80}). lower_8_ i == bit_vec_of_int_t_array serialized 8 i); + assert (forall (i: nat{i < 80}). upper_8_ i == bit_vec_of_int_t_array serialized 8 (80 + i)); + introduce forall (i: nat {i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); + introduce forall (i: nat {i < 160}). i >= 80 ==> upper_8_ (i - 80) = vector ((i / 10) * 16 + i % 10) + with + introduce forall (i: nat {i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))); + assert (forall (i: nat{i < 160}). + bit_vec_of_int_t_array serialized 8 i == (if i < 80 then lower_8_ i else upper_8_ (i - 80)) + ); + // forall (i: nat{i < 160}). + // bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10) + assert (forall (i: nat{i < 160}). + bit_vec_of_int_t_array serialized 8 i == vector ((i / 10) * 16 + i % 10) + ); + admit () + admit (); Core.Result.impl__unwrap #(t_Array u8 (sz 20)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) @@ -366,6 +379,8 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) +#push-options "--ext context_pruning --split_queries always" + let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -388,10 +403,16 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined in - assert_norm (BitVec.Utils.forall64 (fun i -> combined i = vector ((i / 4) * 16 + i % 4))); let serialized:t_Array u8 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined in + let _:Prims.unit = + assert (forall (i: nat{i < 64}). combined i == bit_vec_of_int_t_array serialized 8 i); + introduce forall (i: nat{i < 64}) . combined i = vector ((i / 4) * 16 + i % 4) + with assert_norm (BitVec.Utils.forall64 (fun i -> combined i = vector ((i / 4) * 16 + i % 4))); + assert (forall (i: nat{i < 64}). + bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4)) + in Core.Result.impl__unwrap #(t_Array u8 (sz 8)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) @@ -405,6 +426,8 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) +#pop-options + [@@"opaque_to_smt"] let deserialize_10___deserialize_10_vec (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti index 47d08661d..4fb38cf2f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti @@ -135,8 +135,11 @@ val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 8)) - (requires BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0)) - (fun _ -> Prims.l_True) + (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0) + (ensures + fun r -> + let r:t_Array u8 (sz 8) = r in + forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4)) include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128} diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 0207be3fc..6cb724263 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -172,13 +172,14 @@ fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { ) } +#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] #[hax_lib::requires( fstar!( - r#"BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || vector i = 0)"# + r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"# ) )] +#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"))] #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning")] pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; @@ -215,48 +216,18 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { mm256_permutevar8x32_epi32(adjacent_8_combined, mm256_set_epi32(0, 0, 0, 0, 0, 0, 4, 0)); let combined = mm256_castsi256_si128(combined); + // ... so that we can read them out in one go. + mm_storeu_bytes_si128(&mut serialized, combined); + hax_lib::fstar!( r#" -assert (forall (i: nat {i < 64}). - ${combined} i == ${vector} ((i / 4) * 16 + i % 4) -) by ( - let open FStar.Tactics in - let open Tactics.Utils in - // unfold wrappers - norm [primops; iota; zeta; delta_namespace [ - `%BitVec.Intrinsics.mm256_shuffle_epi8; - `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; - `%BitVec.Intrinsics.mm256_madd_epi16; - `%BitVec.Intrinsics.mm256_castsi256_si128; - "BitVec.Utils"; - ]]; - prove_forall_nat_pointwise (print_time "SMT query succeeded in " (fun _ -> - let reduce t = - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.FunctionalExtensionality"; - t; - `%BitVec.Utils.mk_bv; - `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]]; - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]] - in - reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); - reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote (BitVec.Intrinsics.forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (${vector} i) 0))) (`true); - flip (); smt (); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); - trivial () - )) -) +assert (forall (i: nat{i < 64}). $combined i == bit_vec_of_int_t_array serialized 8 i); + introduce forall (i: nat {i < 64}). $combined i = vector ((i / 4) * 16 + i % 4) + with assert_norm (BitVec.Utils.forall64 (fun i -> $combined i = $vector ((i / 4) * 16 + i % 4))); + assert (forall (i: nat{i < 64}). bit_vec_of_int_t_array serialized 8 i == $vector ((i / 4) * 16 + i % 4)) "# ); - // ... so that we can read them out in one go. - mm_storeu_bytes_si128(&mut serialized, combined); - serialized[0..8].try_into().unwrap() } From c52ef6e0b82110820d1b0a0ba0c976c55d9dc5b8 Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 26 Sep 2024 15:05:22 +0200 Subject: [PATCH 16/19] progress --- ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 2 + ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 2 + ...rux_ml_kem.Ind_cca.Instantiations.Neon.fst | 2 + ...ux_ml_kem.Ind_cca.Instantiations.Neon.fsti | 2 + ...ml_kem.Ind_cca.Instantiations.Portable.fst | 2 + ...l_kem.Ind_cca.Instantiations.Portable.fsti | 2 + .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 66 +++++--- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 18 ++- .../Libcrux_ml_kem.Vector.Avx2.fsti | 21 +-- .../Libcrux_ml_kem.Vector.Neon.Serialize.fst | 1 + .../Libcrux_ml_kem.Vector.Neon.Serialize.fsti | 1 + .../proofs/fstar/extraction/Makefile | 1 - libcrux-ml-kem/src/vector/avx2.rs | 21 +-- libcrux-ml-kem/src/vector/avx2/arithmetic.rs | 73 +++++---- libcrux-ml-kem/src/vector/avx2/serialize.rs | 146 ++++++++++-------- 15 files changed, 221 insertions(+), 139 deletions(-) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index fef0d96bb..d20d346d7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -6,9 +6,11 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () let decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 60d996386..a56b7409d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -6,9 +6,11 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () /// Portable decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index 1b25322d3..2434aff97 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -6,9 +6,11 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () let decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index 72a311393..ebed5369f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -6,9 +6,11 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () /// Portable decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index bea8567f3..7e5da18eb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -6,9 +6,11 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () let decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 6ba23785d..7dde62899 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -6,9 +6,11 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () /// Portable decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index e887f5ffe..51a1a9da7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -7,9 +7,11 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () [@@"opaque_to_smt"] + let deserialize_1___deserialize_1_i16s (a b: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a @@ -26,6 +28,7 @@ let deserialize_1___deserialize_1_i16s (a b: i16) = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb [@@"opaque_to_smt"] + let deserialize_1___deserialize_1_u8s (a b: u8) = deserialize_1___deserialize_1_i16s (cast (a <: u8) <: i16) (cast (b <: u8) <: i16) @@ -35,6 +38,7 @@ let deserialize_1_ (bytes: t_Slice u8) = deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8) [@@"opaque_to_smt"] + let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b7 b7 b6 b6 b5 b5 b4 b4 b3 b3 b2 b2 b1 b1 b0 b0 @@ -58,6 +62,7 @@ let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = Libcrux_intrinsics.Avx2_extract.t_Vec256) [@@"opaque_to_smt"] + let deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) = deserialize_4___deserialize_4_i16s (cast (b0 <: u8) <: i16) (cast (b1 <: u8) <: i16) @@ -119,10 +124,9 @@ let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options -#push-options "--ext context_pruning --split_queries always --z3rlimit 300" +#push-options "--ext context_pruning --split_queries always" -let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in +let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = mm256_concat_pairs_n 10uy vector in @@ -146,6 +150,31 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in + let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined + in + let _:Prims.unit = + introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 + (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); + introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 + (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) + in + lower_8_, upper_8_ + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + +#pop-options + +#push-options "--ext context_pruning --split_queries always" + +let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & + Libcrux_intrinsics.Avx2_extract.t_Vec128) = + serialize_10___serialize_10_vec vector + in + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -163,9 +192,6 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined - in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } @@ -183,24 +209,6 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - assert (forall (i: nat{i < 80}). lower_8_ i == bit_vec_of_int_t_array serialized 8 i); - assert (forall (i: nat{i < 80}). upper_8_ i == bit_vec_of_int_t_array serialized 8 (80 + i)); - introduce forall (i: nat {i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i: nat {i < 160}). i >= 80 ==> upper_8_ (i - 80) = vector ((i / 10) * 16 + i % 10) - with - introduce forall (i: nat {i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))); - assert (forall (i: nat{i < 160}). - bit_vec_of_int_t_array serialized 8 i == (if i < 80 then lower_8_ i else upper_8_ (i - 80)) - ); - // forall (i: nat{i < 160}). - // bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10) - assert (forall (i: nat{i < 160}). - bit_vec_of_int_t_array serialized 8 i == vector ((i / 10) * 16 + i % 10) - ); - admit () - admit (); Core.Result.impl__unwrap #(t_Array u8 (sz 20)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) @@ -429,6 +437,7 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options [@@"opaque_to_smt"] + let deserialize_10___deserialize_10_vec (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) = @@ -499,6 +508,7 @@ let deserialize_10_ (bytes: t_Slice u8) = Libcrux_intrinsics.Avx2_extract.t_Vec128) [@@"opaque_to_smt"] + let deserialize_12___deserialize_12_vec (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) = @@ -602,6 +612,8 @@ let deserialize_5_ (bytes: t_Slice u8) = in Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients +#push-options "--admit_smt_queries true" + let deserialize_11_ (bytes: t_Slice u8) = let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -615,6 +627,10 @@ let deserialize_11_ (bytes: t_Slice u8) = in Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 (array <: t_Slice i16) +#pop-options + +#push-options "--admit_smt_queries true" + let serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let array:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in let array:t_Array i16 (sz 16) = @@ -628,3 +644,5 @@ let serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #FStar.Tactics.Typeclasses.solve input + +#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti index 4fb38cf2f..c71e3d37b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti @@ -7,6 +7,7 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () val deserialize_1___deserialize_1_i16s (a b: i16) @@ -119,6 +120,19 @@ val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) let result:t_Array u8 (sz 2) = result in forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) +val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) + (ensures + fun temp_0_ -> + let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & + Libcrux_intrinsics.Avx2_extract.t_Vec128) = + temp_0_ + in + forall (i: nat{i < 160}). + vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80))) + val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 20)) (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) @@ -202,7 +216,9 @@ val deserialize_12_ (bytes: t_Slice u8) bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j)) val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + (requires Seq.length bytes == 10) + (fun _ -> Prims.l_True) val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index 9c2b8909f..0596f5482 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -10,7 +10,6 @@ let _ = () noeq - type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements @@ -173,6 +172,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_cond_subtract_3329_ = (fun (vector: t_SIMD256Vector) -> + let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } <: t_SIMD256Vector); @@ -273,6 +273,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> + let _:Prims.unit = admit () in { f_elements = @@ -292,6 +293,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> + let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } @@ -309,6 +311,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> + let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -332,6 +335,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> + let _:Prims.unit = admit () in { f_elements = @@ -355,6 +359,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> + let _:Prims.unit = admit () in { f_elements = @@ -373,6 +378,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> + let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -412,6 +418,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta2: i16) (zeta3: i16) -> + let _:Prims.unit = admit () in { f_elements = @@ -435,7 +442,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_1_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in + admit (); Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements); f_deserialize_1_pre = @@ -447,7 +454,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_1_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in + admit (); { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector); @@ -462,7 +469,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_4_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements); f_deserialize_4_pre = @@ -474,7 +480,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_4_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector); @@ -483,6 +488,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_5_ = (fun (vector: t_SIMD256Vector) -> + let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements); f_deserialize_5_pre = @@ -491,6 +497,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_5_ = (fun (bytes: t_Slice u8) -> + let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes } <: t_SIMD256Vector); @@ -505,7 +512,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_10_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements); f_deserialize_10_pre = @@ -517,7 +523,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_10_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_10_ bytes } <: t_SIMD256Vector); @@ -548,7 +553,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_12_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements); f_deserialize_12_pre = @@ -560,7 +564,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_12_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes } <: t_SIMD256Vector); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst index 27e5827cd..5fddc0daa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst @@ -7,6 +7,7 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () let deserialize_1_ (a: t_Slice u8) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti index 5e9cf2737..0edca8f25 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti @@ -7,6 +7,7 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () val deserialize_1_ (a: t_Slice u8) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index 28ef09d36..463318ece 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -1,5 +1,4 @@ SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst -SLOW_MODULES += Libcrux_ml_kem.Vector.Avx2.Serialize.fst ADMIT_MODULES = Libcrux_ml_kem.Ind_cca.Unpacked.fst \ Libcrux_ml_kem.Invert_ntt.fst \ diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs index 2649ab808..9482fdaff 100644 --- a/libcrux-ml-kem/src/vector/avx2.rs +++ b/libcrux-ml-kem/src/vector/avx2.rs @@ -8,7 +8,7 @@ mod sampling; mod serialize; #[derive(Clone, Copy)] -#[hax_lib::fstar::before(interface,"noeq")] +#[hax_lib::fstar::before(interface, "noeq")] #[hax_lib::fstar::after(interface,"let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements")] pub struct SIMD256Vector { elements: Vec256, @@ -23,7 +23,6 @@ fn vec_zero() -> SIMD256Vector { } } - #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] @@ -120,6 +119,7 @@ impl Operations for SIMD256Vector { #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vector)"))] #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"))] fn cond_subtract_3329(vector: Self) -> Self { + hax_lib::fstar!("admit()"); Self { elements: arithmetic::cond_subtract_3329(vector.elements), } @@ -170,6 +170,7 @@ impl Operations for SIMD256Vector { Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"))] #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } @@ -179,6 +180,7 @@ impl Operations for SIMD256Vector { Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"))] #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1), } @@ -188,6 +190,7 @@ impl Operations for SIMD256Vector { Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"))] #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_3_step(vector.elements, zeta), } @@ -198,6 +201,7 @@ impl Operations for SIMD256Vector { Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"))] #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } @@ -207,6 +211,7 @@ impl Operations for SIMD256Vector { Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"))] #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1), } @@ -216,6 +221,7 @@ impl Operations for SIMD256Vector { Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"))] #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta), } @@ -234,6 +240,7 @@ impl Operations for SIMD256Vector { zeta2: i16, zeta3: i16, ) -> Self { + hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3), } @@ -243,7 +250,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"))] fn serialize_1(vector: Self) -> [u8; 2] { - hax_lib::fstar!("admit()"); serialize::serialize_1(vector.elements) } @@ -251,7 +257,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"))] fn deserialize_1(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_1(bytes), } @@ -261,7 +266,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"))] fn serialize_4(vector: Self) -> [u8; 8] { - hax_lib::fstar!("admit()"); serialize::serialize_4(vector.elements) } @@ -269,18 +273,19 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"))] fn deserialize_4(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_4(bytes), } } fn serialize_5(vector: Self) -> [u8; 10] { + hax_lib::fstar!("admit()"); serialize::serialize_5(vector.elements) } #[requires(bytes.len() == 10)] fn deserialize_5(bytes: &[u8]) -> Self { + hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_5(bytes), } @@ -290,7 +295,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"))] fn serialize_10(vector: Self) -> [u8; 20] { - hax_lib::fstar!("admit()"); serialize::serialize_10(vector.elements) } @@ -298,7 +302,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"))] fn deserialize_10(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_10(bytes), } @@ -319,7 +322,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"))] fn serialize_12(vector: Self) -> [u8; 24] { - hax_lib::fstar!("admit()"); serialize::serialize_12(vector.elements) } @@ -327,7 +329,6 @@ impl Operations for SIMD256Vector { // Output name has be `out` https://github.com/hacspec/hax/issues/832 #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"))] fn deserialize_12(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_12(bytes), } diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs index 3dd5be929..11749144a 100644 --- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs @@ -3,13 +3,15 @@ use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS}; use super::*; #[inline(always)] -#[hax_lib::fstar::before(interface,"open Libcrux_intrinsics.Avx2_extract")] -#[hax_lib::fstar::before(" +#[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")] +#[hax_lib::fstar::before( + " let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()")] + [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()" +)] #[hax_lib::requires(fstar!("forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"))] #[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> @@ -22,12 +24,14 @@ pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::before(" +#[hax_lib::fstar::before( + " let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()")] + [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()" +)] #[hax_lib::requires(fstar!("forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"))] #[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> @@ -40,12 +44,14 @@ pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::before(" +#[hax_lib::fstar::before( + " let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) (ensures (v (mul_mod (get_lane lhs i) c) == (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()")] + [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()" +)] #[hax_lib::requires(fstar!("forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"))] #[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> @@ -55,7 +61,7 @@ pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { let result = mm256_mullo_epi16(vector, cv); hax_lib::fstar!("Seq.lemma_eq_intro (vec256_as_i16x16 ${result}) (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - + hax_lib::fstar!("assert (forall i. get_lane result i == get_lane vector i *. constant); assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"); @@ -77,12 +83,14 @@ pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 #[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] #[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] + Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn shift_right(vector: Vec256) -> Vec256 { let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector); - hax_lib::fstar!("Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) + hax_lib::fstar!( + "Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); + (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))" + ); result } @@ -96,17 +104,21 @@ pub(crate) fn shift_right(vector: Vec256) -> Vec256 { #[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] #[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> get_lane $result i == - (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"))] + (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"))] pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); hax_lib::fstar!("assert (forall i. get_lane $field_modulus i == 3329s)"); // Compute v_i - Q and crate a mask from the sign bit of each of these // quantities. let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. 3329s)"); + hax_lib::fstar!( + "assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. 3329s)" + ); let sign_mask = mm256_srai_epi16::<15>(v_minus_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $sign_mask i == (get_lane $v_minus_field_modulus i >>! 15l))"); + hax_lib::fstar!( + "assert (forall i. get_lane $sign_mask i == (get_lane $v_minus_field_modulus i >>! 15l))" + ); // If v_i - Q < 0 then add back Q to (v_i - Q). let conditional_add_field_modulus = mm256_and_si256(sign_mask, field_modulus); @@ -136,10 +148,14 @@ pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { let t1 = mm256_add_epi16(t0, mm256_set1_epi16(512)); hax_lib::fstar!("assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"); let quotient = mm256_srai_epi16::<10>(t1); - hax_lib::fstar!("assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))"); + hax_lib::fstar!( + "assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))" + ); let quotient_times_field_modulus = mm256_mullo_epi16(quotient, mm256_set1_epi16(FIELD_MODULUS)); - hax_lib::fstar!("assert (forall i. get_lane $quotient_times_field_modulus i == - get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)"); + hax_lib::fstar!( + "assert (forall i. get_lane $quotient_times_field_modulus i == + get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)" + ); let result = mm256_sub_epi16(vector, quotient_times_field_modulus); hax_lib::fstar!("assert (forall i. get_lane $result i == get_lane $vector i -. get_lane $quotient_times_field_modulus i); @@ -203,14 +219,16 @@ pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))")))] pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 { let value_low = mm256_mullo_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane $value_low i == get_lane $vec i *. get_lane $constants i)"); - + hax_lib::fstar!( + "assert (forall i. get_lane $value_low i == get_lane $vec i *. get_lane $constants i)" + ); + let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); - + let modulus = mm256_set1_epi16(FIELD_MODULUS); hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); @@ -222,7 +240,6 @@ pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) - assert (forall i. get_lane $k_times_modulus i == (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - let value_high = mm256_mulhi_epi16(vec, constants); hax_lib::fstar!("assert (forall i. get_lane $value_high i == (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))"); @@ -237,7 +254,7 @@ pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"); + assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"); result } @@ -274,14 +291,15 @@ pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 { let value_low = mm_mullo_epi16(vec, constants); hax_lib::fstar!("assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)"); - let k = mm_mullo_epi16( value_low, mm_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane128 $k i == get_lane128 $value_low i *. (neg 3327s))"); - + hax_lib::fstar!( + "assert (forall i. get_lane128 $k i == get_lane128 $value_low i *. (neg 3327s))" + ); + let modulus = mm_set1_epi16(FIELD_MODULUS); hax_lib::fstar!("assert (forall i. get_lane128 $modulus i == 3329s)"); @@ -293,7 +311,6 @@ pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec assert (forall i. get_lane128 $k_times_modulus i == (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))"); - let value_high = mm_mulhi_epi16(vec, constants); hax_lib::fstar!("assert (forall i. get_lane128 $value_high i == (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))"); @@ -308,7 +325,7 @@ pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 $result i)); assert (forall (i:nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 $result i)); assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $result)); - assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"); - + assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"); + result } diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 6cb724263..a3d8e361b 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -460,6 +460,7 @@ fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 { } #[inline(always)] +#[hax_lib::requires(fstar!(r#"Seq.length bytes == 10"#))] pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { let coefficients = mm_set_epi8( bytes[9], bytes[8], bytes[8], bytes[7], bytes[7], bytes[6], bytes[6], bytes[5], bytes[4], @@ -501,83 +502,94 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning")] +#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] #[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))] pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { - let mut serialized = [0u8; 32]; + #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] + #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] + #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( + r#" + forall (i: nat{i < 160}). + vector ((i/10) * 16 + i%10) == (if i < 80 then $lower_8 i else $upper_8 (i - 80)) + ) + "# + ))] + fn serialize_10_vec(vector: Vec256) -> (Vec128, Vec128) { + // If |vector| is laid out as follows (superscript number indicates the + // corresponding bit is duplicated that many times): + // + // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ + // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ + // ... + // + // |adjacent_2_combined| will be laid out as a series of 32-bit integers, + // as follows: + // + // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // .... + let adjacent_2_combined = mm256_concat_pairs_n(10, vector); - // If |vector| is laid out as follows (superscript number indicates the - // corresponding bit is duplicated that many times): - // - // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ - // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ - // ... - // - // |adjacent_2_combined| will be laid out as a series of 32-bit integers, - // as follows: - // - // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // .... - let adjacent_2_combined = mm256_concat_pairs_n(10, vector); + // Shifting up the values at the even indices by 12, we get: + // + // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // ... + let adjacent_4_combined = mm256_sllv_epi32( + adjacent_2_combined, + mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), + ); - // Shifting up the values at the even indices by 12, we get: - // - // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // ... - let adjacent_4_combined = mm256_sllv_epi32( - adjacent_2_combined, - mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), - ); + // Viewing this as a set of 64-bit integers we get: + // + // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ + // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ + // ... + // + // Shifting down by 12 gives us: + // + // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ + // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ + // ... + let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); - // Viewing this as a set of 64-bit integers we get: - // - // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ - // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ - // ... - // - // Shifting down by 12 gives us: - // - // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ - // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ - // ... - let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); + // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped + // into bytes, looks like: + // + // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ + // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ + // + // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after + // bytes 0, 1, 2, 3 to allow for sequential reading. + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, + 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, + ), + ); + // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); + // and 64 bits starting at position 0 in the upper 128-bit lane. + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + hax_lib::fstar!( + r#" + introduce forall (i:nat{i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); + introduce forall (i:nat{i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) + "# + ); + (lower_8, upper_8) + } - // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped - // into bytes, looks like: - // - // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ - // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ - // - // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after - // bytes 0, 1, 2, 3 to allow for sequential reading. - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12, - 11, 10, 9, 8, 4, 3, 2, 1, 0, - ), - ); + let (lower_8, upper_8) = serialize_10_vec(vector); - // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); + let mut serialized = [0u8; 32]; mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); - - // and 64 bits starting at position 0 in the upper 128-bit lane. - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - assert_norm ( - BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ( (i/10) * 16 + i%10)) - && BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i/10) * 16 + i%10)) - ) - "# - ); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); - hax_lib::fstar!("admit()"); serialized[0..20].try_into().unwrap() } @@ -655,6 +667,7 @@ assert_norm(BitVec.Utils.forall256 (fun i -> } #[inline(always)] +#[hax_lib::fstar::verification_status(lax)] pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { let mut array = [0i16; 16]; mm256_storeu_si256_i16(&mut array, vector); @@ -663,6 +676,7 @@ pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { } #[inline(always)] +#[hax_lib::fstar::verification_status(lax)] pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { let output = PortableVector::deserialize_11(bytes); let array = PortableVector::to_i16_array(output); From 232fbde4219f5607ea7a1ce2773f4dcc50852f2b Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 26 Sep 2024 15:28:25 +0200 Subject: [PATCH 17/19] avx2: proofs: spec + proof for `serialize_12` --- libcrux-ml-kem/src/vector/avx2/serialize.rs | 75 +++++++++++---------- 1 file changed, 39 insertions(+), 36 deletions(-) diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index a3d8e361b..693bb1bf8 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -684,46 +684,49 @@ pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { } #[inline(always)] +#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] +#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] +#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"))] pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { - let mut serialized = [0u8; 32]; - - let adjacent_2_combined = mm256_madd_epi16( - vector, - mm256_set_epi16( - 1 << 12, - 1, - 1 << 12, - 1, - 1 << 12, - 1, - 1 << 12, - 1, - 1 << 12, - 1, - 1 << 12, - 1, - 1 << 12, - 1, - 1 << 12, - 1, - ), - ); - - let adjacent_4_combined = - mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); - let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); + #[inline(always)] + #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] + #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] + #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( + r#" + forall (i: nat{i < 192}). + vector ((i/12) * 16 + i%12) == (if i < 96 then $lower_8 i else $upper_8 (i - 96)) + ) + "# + ))] + fn serialize_12_vec(vector: Vec256) -> (Vec128, Vec128) { + let adjacent_2_combined = mm256_concat_pairs_n(12, vector); + let adjacent_4_combined = + mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); + let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, 10, - 9, 8, 5, 4, 3, 2, 1, 0, - ), - ); + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, + 10, 9, 8, 5, 4, 3, 2, 1, 0, + ), + ); - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + hax_lib::fstar!( + r#" + introduce forall (i:nat{i < 96}). lower_8_ i = vector ((i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); + introduce forall (i:nat{i < 96}). upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) + "# + ); + (lower_8, upper_8) + } + let mut serialized = [0u8; 32]; + let (lower_8, upper_8) = serialize_12_vec(vector); mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); mm_storeu_bytes_si128(&mut serialized[12..28], upper_8); From a089e8609d2bf2df5c165076a79e3fd30dbf87cf Mon Sep 17 00:00:00 2001 From: Lucas Franceschino Date: Thu, 26 Sep 2024 15:31:23 +0200 Subject: [PATCH 18/19] chore: regenerate F* files --- .../Libcrux_intrinsics.Avx2_extract.fsti | 76 +++- .../Libcrux_ml_kem.Constant_time_ops.fst | 163 +++++++- .../Libcrux_ml_kem.Constant_time_ops.fsti | 42 +- ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 59 +-- ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 44 +- ...rux_ml_kem.Ind_cca.Instantiations.Neon.fst | 59 +-- ...ux_ml_kem.Ind_cca.Instantiations.Neon.fsti | 46 +-- ...ml_kem.Ind_cca.Instantiations.Portable.fst | 60 +-- ...l_kem.Ind_cca.Instantiations.Portable.fsti | 46 +-- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fst | 43 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fsti | 30 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fst | 380 ++++++++++++++++-- .../Libcrux_ml_kem.Ind_cca.Unpacked.fsti | 170 +++++++- .../extraction/Libcrux_ml_kem.Ind_cca.fst | 134 ++++-- .../extraction/Libcrux_ml_kem.Ind_cca.fsti | 183 ++------- .../Libcrux_ml_kem.Ind_cpa.Unpacked.fsti | 64 +++ .../extraction/Libcrux_ml_kem.Ind_cpa.fst | 323 ++++++++++----- .../extraction/Libcrux_ml_kem.Ind_cpa.fsti | 77 +++- .../extraction/Libcrux_ml_kem.Invert_ntt.fst | 2 +- .../extraction/Libcrux_ml_kem.Matrix.fst | 126 +++--- .../extraction/Libcrux_ml_kem.Matrix.fsti | 26 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fst | 53 +-- .../Libcrux_ml_kem.Mlkem1024.Avx2.fsti | 52 +-- .../Libcrux_ml_kem.Mlkem1024.Neon.fst | 53 +-- .../Libcrux_ml_kem.Mlkem1024.Neon.fsti | 54 +-- .../Libcrux_ml_kem.Mlkem1024.Portable.fst | 53 +-- .../Libcrux_ml_kem.Mlkem1024.Portable.fsti | 54 +-- .../extraction/Libcrux_ml_kem.Mlkem1024.fst | 31 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fsti | 19 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fst | 50 +-- .../Libcrux_ml_kem.Mlkem512.Avx2.fsti | 50 +-- .../Libcrux_ml_kem.Mlkem512.Neon.fst | 50 +-- .../Libcrux_ml_kem.Mlkem512.Neon.fsti | 52 +-- .../Libcrux_ml_kem.Mlkem512.Portable.fst | 51 +-- .../Libcrux_ml_kem.Mlkem512.Portable.fsti | 52 +-- .../extraction/Libcrux_ml_kem.Mlkem512.fst | 29 +- .../extraction/Libcrux_ml_kem.Mlkem512.fsti | 19 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fst | 53 +-- .../Libcrux_ml_kem.Mlkem768.Avx2.fsti | 50 +-- .../Libcrux_ml_kem.Mlkem768.Neon.fst | 53 +-- .../Libcrux_ml_kem.Mlkem768.Neon.fsti | 52 +-- .../Libcrux_ml_kem.Mlkem768.Portable.fst | 53 +-- .../Libcrux_ml_kem.Mlkem768.Portable.fsti | 52 +-- .../extraction/Libcrux_ml_kem.Mlkem768.fst | 31 +- .../extraction/Libcrux_ml_kem.Mlkem768.fsti | 19 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fst | 4 +- .../extraction/Libcrux_ml_kem.Polynomial.fst | 22 +- .../extraction/Libcrux_ml_kem.Polynomial.fsti | 18 +- .../extraction/Libcrux_ml_kem.Sampling.fst | 6 +- .../extraction/Libcrux_ml_kem.Serialize.fst | 171 +++++--- .../extraction/Libcrux_ml_kem.Serialize.fsti | 80 +++- .../fstar/extraction/Libcrux_ml_kem.Types.fst | 30 +- .../extraction/Libcrux_ml_kem.Types.fsti | 89 ++-- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 84 ++-- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 20 +- .../Libcrux_ml_kem.Vector.Avx2.fsti | 31 +- ...ibcrux_ml_kem.Vector.Portable.Compress.fst | 184 ++++++--- ...bcrux_ml_kem.Vector.Portable.Compress.fsti | 29 +- ...bcrux_ml_kem.Vector.Portable.Serialize.fst | 12 + ...crux_ml_kem.Vector.Portable.Serialize.fsti | 12 + .../Libcrux_ml_kem.Vector.Portable.fsti | 40 +- .../Libcrux_ml_kem.Vector.Traits.fst | 25 +- .../Libcrux_ml_kem.Vector.Traits.fsti | 45 ++- 63 files changed, 2302 insertions(+), 1838 deletions(-) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 2e260a6be..16d93fb14 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -3,6 +3,8 @@ module Libcrux_intrinsics.Avx2_extract open Core open FStar.Mul +val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + unfold type t_Vec128 = bit_vec 128 val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i @@ -11,6 +13,8 @@ unfold type t_Vec256 = bit_vec 256 val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i +val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_add_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True @@ -22,16 +26,30 @@ val mm256_add_epi16 (lhs rhs: t_Vec256) val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_castsi128_si256 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_cvtepi16_epi32 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -41,9 +59,14 @@ val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_V val mm256_loadu_si256_i16 (input: t_Slice i16) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i32 (input: t_Slice i32) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_mulhi_epi16 (lhs rhs: t_Vec256) @@ -59,6 +82,8 @@ val mm256_mulhi_epi16 (lhs rhs: t_Vec256) val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) @@ -75,8 +100,13 @@ val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prim include BitVec.Intrinsics {mm256_set_epi32} +val mm256_set_epi64x (input3 input2 input1 input0: i64) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm256_set_epi8} +val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) @@ -84,6 +114,8 @@ val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) include BitVec.Intrinsics {mm256_shuffle_epi8} +val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -107,8 +139,23 @@ val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi32 (vector counts: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_srlv_epi64 (vector counts: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) - : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice i16) + Prims.l_True + (ensures + fun output_future -> + let output_future:t_Slice i16 = output_future in + (Core.Slice.impl__len #i16 output_future <: usize) =. + (Core.Slice.impl__len #i16 output <: usize)) + +val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) @@ -122,6 +169,10 @@ val mm256_sub_epi16 (lhs rhs: t_Vec256) vec256_as_i16x16 result == Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) +val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + val mm256_unpackhi_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -174,20 +225,26 @@ val mm_set1_epi16 (constant: i16) let result:t_Vec128 = result in vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) +val mm_set_epi32 (input3 input2 input1 input0: i32) + : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm_set_epi8} include BitVec.Intrinsics {mm_shuffle_epi8} +val mm_sllv_epi32 (vector counts: t_Vec128) + : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) + +val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128) + : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm_storeu_bytes_si128} val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128) - : Prims.Pure (t_Slice i16) - Prims.l_True - (ensures - fun output_future -> - let output_future:t_Slice i16 = output_future in - (Core.Slice.impl__len #i16 output_future <: usize) =. - (Core.Slice.impl__len #i16 output <: usize)) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + +val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) val mm_sub_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 @@ -198,6 +255,9 @@ val mm_sub_epi16 (lhs rhs: t_Vec128) vec128_as_i16x8 result == Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) +val vec256_blendv_epi32 (a b mask: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} val lemma_mm256_and_si256 lhs rhs : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 7a551b67a..1bff53934 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -4,12 +4,43 @@ open Core open FStar.Mul let inz (value: u8) = + let v__orig_value:u8 = value in let value:u16 = cast (value <: u8) <: u16 in - let result:u16 = - ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. - 1us + let result:u8 = + cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) <: u8 in - cast (result <: u16) <: u8 + let res:u8 = result &. 1uy in + let _:Prims.unit = + if v v__orig_value = 0 + then + (assert (value == zero); + lognot_lemma value; + assert ((~.value +. 1us) == zero); + assert ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) == zero); + logor_lemma value zero; + assert ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) == + value); + assert (v result == v ((value >>! 8l))); + assert ((v value / pow2 8) == 0); + assert (result == 0uy); + logand_lemma 1uy result; + assert (res == 0uy)) + else + (assert (v value <> 0); + lognot_lemma value; + assert (v (~.value) = pow2 16 - 1 - v value); + assert (v (~.value) + 1 = pow2 16 - v value); + assert (v (value) <= pow2 8 - 1); + assert ((v (~.value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v value)); + assert ((v (~.value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v value)); + assert ((v (~.value) + 1) / pow2 8 = (pow2 8 - 1)); + assert (v ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l) = + pow2 8 - 1); + assert (result = ones); + logand_lemma 1uy result; + assert (res = 1uy)) + in + res let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8) @@ -18,43 +49,143 @@ let compare (lhs rhs: t_Slice u8) = let r:u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #u8 lhs <: usize) - (fun r temp_1_ -> + (fun r i -> let r:u8 = r in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i <= Seq.length lhs /\ + (if (Seq.slice lhs 0 (v i) = Seq.slice rhs 0 (v i)) then r == 0uy else ~(r == 0uy))) r (fun r i -> let r:u8 = r in let i:usize = i in - r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8) + let nr:u8 = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) in + let _:Prims.unit = + if r =. 0uy + then + (if (Seq.index lhs (v i) = Seq.index rhs (v i)) + then + (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); + assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) = zero); + logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); + assert (nr = r); + assert (forall j. Seq.index (Seq.slice lhs 0 (v i)) j == Seq.index lhs j); + assert (forall j. Seq.index (Seq.slice rhs 0 (v i)) j == Seq.index rhs j); + eq_intro (Seq.slice lhs 0 ((v i) + 1)) (Seq.slice rhs 0 ((v i) + 1))) + else + (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); + assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <> zero); + logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); + assert (v nr > 0); + assert (Seq.index (Seq.slice lhs 0 ((v i) + 1)) (v i) <> + Seq.index (Seq.slice rhs 0 ((v i) + 1)) (v i)); + assert (Seq.slice lhs 0 ((v i) + 1) <> Seq.slice rhs 0 ((v i) + 1)))) + else + (logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); + assert (v nr >= v r); + assert (Seq.slice lhs 0 (v i) <> Seq.slice rhs 0 (v i)); + if (Seq.slice lhs 0 ((v i) + 1) = Seq.slice rhs 0 ((v i) + 1)) + then + (assert (forall j. + j < (v i) + 1 ==> + Seq.index (Seq.slice lhs 0 ((v i) + 1)) j == + Seq.index (Seq.slice rhs 0 ((v i) + 1)) j); + eq_intro (Seq.slice lhs 0 (v i)) (Seq.slice rhs 0 (v i)); + assert (False))) + in + let r:u8 = nr in + r) in is_non_zero r let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = Core.Hint.black_box #u8 (compare lhs rhs <: u8) +#push-options "--ifuel 0 --z3rlimit 50" + let select_ct (lhs rhs: t_Slice u8) (selector: u8) = let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in + let _:Prims.unit = + assert (if selector = 0uy then mask = ones else mask = zero); + lognot_lemma mask; + assert (if selector = 0uy then ~.mask = zero else ~.mask = ones) + in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - (fun out temp_1_ -> + (fun out i -> let out:t_Array u8 (sz 32) = out in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i <= v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /\ + (forall j. + j < v i ==> + (if (selector =. 0uy) + then Seq.index out j == Seq.index lhs j + else Seq.index out j == Seq.index rhs j)) /\ + (forall j. j >= v i ==> Seq.index out j == 0uy)) out (fun out i -> let out:t_Array u8 (sz 32) = out in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) - <: - t_Array u8 (sz 32)) + let _:Prims.unit = assert ((out.[ i ] <: u8) = 0uy) in + let outi:u8 = + ((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + in + let _:Prims.unit = + if (selector = 0uy) + then + (logand_lemma (lhs.[ i ] <: u8) mask; + assert (((lhs.[ i ] <: u8) &. mask <: u8) == (lhs.[ i ] <: u8)); + logand_lemma (rhs.[ i ] <: u8) (~.mask); + assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == zero); + logor_lemma ((lhs.[ i ] <: u8) &. mask <: u8) + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8); + assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + <: + u8) == + (lhs.[ i ] <: u8)); + logor_lemma (out.[ i ] <: u8) (lhs.[ i ] <: u8); + assert (((out.[ i ] <: u8) |. + (((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + <: + u8) + <: + u8) == + (lhs.[ i ] <: u8)); + assert (outi = (lhs.[ i ] <: u8))) + else + (logand_lemma (lhs.[ i ] <: u8) mask; + assert (((lhs.[ i ] <: u8) &. mask <: u8) == zero); + logand_lemma (rhs.[ i ] <: u8) (~.mask); + assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == (rhs.[ i ] <: u8)); + logor_lemma (rhs.[ i ] <: u8) zero; + assert ((logor zero (rhs.[ i ] <: u8)) == (rhs.[ i ] <: u8)); + assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)) == + (rhs.[ i ] <: u8)); + logor_lemma (out.[ i ] <: u8) (rhs.[ i ] <: u8); + assert (((out.[ i ] <: u8) |. + (((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + <: + u8) + <: + u8) == + (rhs.[ i ] <: u8)); + assert (outi = (rhs.[ i ] <: u8))) + in + let out:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i outi + in + out) in + let _:Prims.unit = if (selector =. 0uy) then (eq_intro out lhs) else (eq_intro out rhs) in out +#pop-options + let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index a8ac4ec4a..dc6fd2b46 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -4,21 +4,39 @@ open Core open FStar.Mul /// Return 1 if `value` is not zero and 0 otherwise. -val inz (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val inz (value: u8) + : Prims.Pure u8 + Prims.l_True + (ensures + fun result -> + let result:u8 = result in + (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) -val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val is_non_zero (value: u8) + : Prims.Pure u8 + Prims.l_True + (ensures + fun result -> + let result:u8 = result in + (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. val compare (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:u8 = result in + (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:u8 = result in + (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. @@ -27,14 +45,20 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s rhs_s: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) @@ -42,4 +66,8 @@ val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s (Core.Slice.impl__len #u8 lhs_c <: usize) =. (Core.Slice.impl__len #u8 rhs_c <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. (Core.Slice.impl__len #u8 rhs_s <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + let selector = if lhs_c =. rhs_c then 0uy else 1uy in + ((selector == 0uy ==> result == lhs_s) /\ (selector =!= 0uy ==> result == rhs_s))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index d20d346d7..c5f3a6c69 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -8,11 +8,23 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + private_key + ciphertext + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,7 +36,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Ind_cca.t_MlKem private_key ciphertext + #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -36,7 +48,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Ind_cca.t_MlKem public_key randomness + #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: @@ -46,7 +58,7 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - randomness + #Libcrux_ml_kem.Variant.t_MlKem randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -57,42 +69,3 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector public_key - -let encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate_unpacked v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness - -let decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate_unpacked v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - key_pair ciphertext - -let generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair_unpacked v_K v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index a56b7409d..2d0031d3b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -8,11 +8,22 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in let open Libcrux_ml_kem.Vector.Traits in () +/// Portable private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -80,34 +91,3 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) - -/// Portable encapsualte -val encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Portable decapsulate -val decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Unpacked API -val generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index 2434aff97..dca261dd4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -8,11 +8,23 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + private_key + ciphertext + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,7 +36,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Ind_cca.t_MlKem private_key + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext let encapsulate @@ -37,7 +49,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Ind_cca.t_MlKem public_key + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair @@ -48,7 +60,7 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -59,42 +71,3 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector public_key - -let encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate_unpacked v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness - -let decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate_unpacked v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext - -let generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair_unpacked v_K v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index ebed5369f..e244a6ece 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -8,11 +8,22 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in let open Libcrux_ml_kem.Vector.Traits in () +/// Portable private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -80,36 +91,3 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) - -/// Portable encapsualte -val encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Portable decapsulate -val decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Unpacked API -val generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 7e5da18eb..333f8fbbd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -8,11 +8,23 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) + private_key + ciphertext + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,7 +36,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext let encapsulate @@ -37,7 +49,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair @@ -48,7 +60,8 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem + randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -59,42 +72,3 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector public_key - -let encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate_unpacked v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness - -let decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate_unpacked v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext - -let generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair_unpacked v_K v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 7dde62899..b62f5b8f2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -8,11 +8,22 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in let open Libcrux_ml_kem.Vector.Traits in () +/// Portable private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -80,36 +91,3 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) - -/// Portable encapsualte -val encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Portable decapsulate -val decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Unpacked API -val generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index 2ca3571c4..2fbb2ea3d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -3,6 +3,26 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + private_key + ciphertext + +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -91,26 +111,3 @@ let generate_keypair v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - else - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index f74dd66e8..4e231ea63 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -3,6 +3,26 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -57,13 +77,3 @@ val generate_keypair v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) - -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index 950cb476c..6b2e84009 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -7,12 +7,63 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in let open Libcrux_ml_kem.Polynomial in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate_unpacked +let impl__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + = + Core.Convert.f_into #(t_Array u8 v_PUBLIC_KEY_SIZE) + #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + <: + t_Array u8 v_PUBLIC_KEY_SIZE) + +let impl__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = + { + serialized with + Libcrux_ml_kem.Types.f_value + = + Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + serialized.Libcrux_ml_kem.Types.f_value + } + <: + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE + in + serialized + +let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -72,7 +123,194 @@ let encapsulate_unpacked <: (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -let decapsulate_unpacked +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + = + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + #v_Vector + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Libcrux_ml_kem.Utils.into_padded_array (sz 32) + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + <: + t_Array u8 (sz 34)) + false + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_public_key_hash + = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + unpacked_public_key + +let impl_2__private_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_private_key + +let impl_2__public_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_public_key + +let impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not yet implemented" + <: + Rust_primitives.Hax.t_Never) + +let impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = + impl__serialized_public_key v_K + #v_Vector + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + self.f_public_key + +let impl_2__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + = + let hax_temp_output, serialized:(Prims.unit & + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = + (), + impl__serialized_public_key_mut v_K + #v_Vector + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + self.f_public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + in + serialized + +let impl_2__new + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (_: Prims.unit) + = + Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () + +let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -176,17 +414,19 @@ let decapsulate_unpacked (implicit_rejection_shared_secret <: t_Slice u8) selector -let generate_keypair_unpacked +let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (randomness: t_Array u8 (sz 64)) + (out: t_MlKemKeyPairUnpacked v_K v_Vector) = let ind_cpa_keypair_randomness:t_Slice u8 = randomness.[ { @@ -203,16 +443,41 @@ let generate_keypair_unpacked <: Core.Ops.Range.t_RangeFrom usize ] in - let ind_cpa_private_key, ind_cpa_public_key:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked - v_K v_Vector & + let tmp0, tmp1:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = Libcrux_ml_kem.Ind_cpa.generate_keypair_unpacked v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher + #v_Scheme ind_cpa_keypair_randomness + out.f_private_key.f_ind_cpa_private_key + out.f_public_key.f_ind_cpa_public_key in + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_private_key + = + { out.f_private_key with f_ind_cpa_private_key = tmp0 } + <: + t_MlKemPrivateKeyUnpacked v_K v_Vector + } + <: + t_MlKemKeyPairUnpacked v_K v_Vector + in + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_public_key + = + { out.f_public_key with f_ind_cpa_public_key = tmp1 } <: t_MlKemPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemKeyPairUnpacked v_K v_Vector + in + let _:Prims.unit = () in let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K @@ -222,7 +487,7 @@ let generate_keypair_unpacked v_K (fun v__j -> let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -270,7 +535,8 @@ let generate_keypair_unpacked (Core.Clone.f_clone #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) #FStar.Tactics.Typeclasses.solve - ((ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A.[ j ] + ((out.f_public_key.f_ind_cpa_public_key + .Libcrux_ml_kem.Ind_cpa.Unpacked.f_A.[ j ] <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K).[ i ] @@ -286,49 +552,77 @@ let generate_keypair_unpacked <: t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) in - let ind_cpa_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A } + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_public_key + = + { + out.f_public_key with + f_ind_cpa_public_key + = + { out.f_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + } <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + t_MlKemKeyPairUnpacked v_K v_Vector in let pk_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K v_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE #v_Vector - ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) - in - let public_key_hash:t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (pk_serialized <: t_Slice u8) - in - let (implicit_rejection_value: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - implicit_rejection_value + out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + t_Slice u8) in - { - f_private_key - = + let out:t_MlKemKeyPairUnpacked v_K v_Vector = { - f_ind_cpa_private_key = ind_cpa_private_key; - f_implicit_rejection_value = implicit_rejection_value + out with + f_public_key + = + { + out.f_public_key with + f_public_key_hash + = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (pk_serialized <: t_Slice u8) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector } <: - t_MlKemPrivateKeyUnpacked v_K v_Vector; - f_public_key - = - { f_ind_cpa_public_key = ind_cpa_public_key; f_public_key_hash = public_key_hash } + t_MlKemKeyPairUnpacked v_K v_Vector + in + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_private_key + = + { + out.f_private_key with + f_implicit_rejection_value + = + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + implicit_rejection_value + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } + <: + t_MlKemPrivateKeyUnpacked v_K v_Vector + } <: - t_MlKemPublicKeyUnpacked v_K v_Vector - } - <: - t_MlKemKeyPairUnpacked v_K v_Vector + t_MlKemKeyPairUnpacked v_K v_Vector + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index 2e16c3c1d..b31715e29 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -7,8 +7,10 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in let open Libcrux_ml_kem.Polynomial in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -28,7 +30,57 @@ type t_MlKemPublicKeyUnpacked f_public_key_hash:t_Array u8 (sz 32) } -val encapsulate_unpacked +/// Get the serialized public key. +val impl__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKeyUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_ind_cpa_public_key + = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K + v_Vector) + #FStar.Tactics.Typeclasses.solve + (); + f_public_key_hash = Rust_primitives.Hax.repeat 0uy (sz 32) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + } + +val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -40,6 +92,16 @@ val encapsulate_unpacked Prims.l_True (fun _ -> Prims.l_True) +/// Generate an unpacked key from a serialized key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + /// An unpacked ML-KEM KeyPair type t_MlKemKeyPairUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -48,7 +110,100 @@ type t_MlKemKeyPairUnpacked f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector } -val decapsulate_unpacked +/// Get the serialized public key. +val impl_2__private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__public_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized private key. +val impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_K) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3 + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemKeyPairUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_private_key + = + { + f_ind_cpa_private_key + = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K + v_Vector) + #FStar.Tactics.Typeclasses.solve + (); + f_implicit_rejection_value = Rust_primitives.Hax.repeat 0uy (sz 32) + } + <: + t_MlKemPrivateKeyUnpacked v_K v_Vector; + f_public_key + = + Core.Default.f_default #(t_MlKemPublicKeyUnpacked v_K v_Vector) + #FStar.Tactics.Typeclasses.solve + () + } + <: + t_MlKemKeyPairUnpacked v_K v_Vector + } + +/// Create a new empty unpacked key pair. +val impl_2__new: + v_K: usize -> + #v_Vector: Type0 -> + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> + Prims.unit + -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -58,11 +213,14 @@ val decapsulate_unpacked (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val generate_keypair_unpacked +/// Generate Unpacked Keys +val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (randomness: t_Array u8 (sz 64)) + (out: t_MlKemKeyPairUnpacked v_K v_Vector) : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 812549884..1a64404ca 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -8,6 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -170,7 +171,7 @@ let validate_public_key (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: @@ -192,7 +193,37 @@ let validate_public_key in public_key =. public_key_serialized -#push-options "--admit_smt_queries true" +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + let t:t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = sz 384 *! v_K <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let expected:t_Slice u8 = + private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + in + t =. expected #push-options "--z3rlimit 500" @@ -206,10 +237,14 @@ let decapsulate (#[FStar.Tactics.Typeclasses.tcresolve ()] i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: t_Variant v_Scheme) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = + let _:Prims.unit = + assert (v v_CIPHERTEXT_SIZE == + v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) + in let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8) @@ -221,6 +256,20 @@ let decapsulate let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in + let _:Prims.unit = + assert (ind_cpa_secret_key == slice private_key.f_value (sz 0) v_CPA_SECRET_KEY_SIZE); + assert (ind_cpa_public_key == + slice private_key.f_value v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) + ); + assert (ind_cpa_public_key_hash == + slice private_key.f_value + (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) + (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); + assert (implicit_rejection_value == + slice private_key.f_value + (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) + (length private_key.f_value)) + in let decrypted:t_Array u8 (sz 32) = Libcrux_ml_kem.Ind_cpa.decrypt v_K v_CIPHERTEXT_SIZE @@ -234,6 +283,7 @@ let decapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) decrypted in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -249,6 +299,11 @@ let decapsulate <: t_Slice u8) in + let _:Prims.unit = + lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; + assert (decrypted == Spec.MLKEM.ind_cpa_decrypt v_K ind_cpa_secret_key ciphertext.f_value); + assert (to_hash == concat decrypted ind_cpa_public_key_hash) + in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -260,11 +315,21 @@ let decapsulate (hashed <: t_Slice u8) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE in + let _:Prims.unit = + assert ((shared_secret, pseudorandomness) == + split hashed Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE); + assert (length implicit_rejection_value = + v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE); + assert (length implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); + assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + in let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE implicit_rejection_value in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) implicit_rejection_value in let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -285,8 +350,12 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = assert (v (sz 32) < pow2 32) in - let _:Prims.unit = assert (i4.f_PRF_pre (sz 32) to_hash) in + let _:Prims.unit = + assert_norm (pow2 32 == 0x100000000); + assert (v (sz 32) < pow2 32); + assert (i4.f_PRF_pre (sz 32) to_hash); + lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value + in let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher #v_K @@ -294,6 +363,10 @@ let decapsulate (sz 32) (to_hash <: t_Slice u8) in + let _:Prims.unit = + assert (implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) to_hash); + assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE) + in let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 @@ -301,7 +374,7 @@ let decapsulate decrypted pseudorandomness in let implicit_rejection_shared_secret:t_Array u8 (sz 32) = - f_kdf #v_Scheme + Libcrux_ml_kem.Variant.f_kdf #v_Scheme #FStar.Tactics.Typeclasses.solve v_K v_CIPHERTEXT_SIZE @@ -310,7 +383,7 @@ let decapsulate ciphertext in let shared_secret:t_Array u8 (sz 32) = - f_kdf #v_Scheme + Libcrux_ml_kem.Variant.f_kdf #v_Scheme #FStar.Tactics.Typeclasses.solve v_K v_CIPHERTEXT_SIZE @@ -331,8 +404,6 @@ let decapsulate #pop-options -#pop-options - #push-options "--z3rlimit 150" let encapsulate @@ -345,12 +416,12 @@ let encapsulate (#[FStar.Tactics.Typeclasses.tcresolve ()] i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: t_Variant v_Scheme) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = let randomness:t_Array u8 (sz 32) = - f_entropy_preprocess #v_Scheme + Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme #FStar.Tactics.Typeclasses.solve v_K #v_Hasher @@ -359,6 +430,7 @@ let encapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } @@ -373,12 +445,17 @@ let encapsulate (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_17__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) <: t_Slice u8) <: t_Slice u8) in + let _:Prims.unit = + assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); + lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); + assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) + in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -394,7 +471,7 @@ let encapsulate Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_17__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness pseudorandomness in let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = @@ -404,7 +481,7 @@ let encapsulate ciphertext in let shared_secret_array:t_Array u8 (sz 32) = - f_kdf #v_Scheme + Libcrux_ml_kem.Variant.f_kdf #v_Scheme #FStar.Tactics.Typeclasses.solve v_K v_CIPHERTEXT_SIZE @@ -412,26 +489,23 @@ let encapsulate shared_secret ciphertext in - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) = - ciphertext, shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + ciphertext, shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) #pop-options let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (randomness: t_Array u8 (sz 64)) = let ind_cpa_keypair_randomness:t_Slice u8 = @@ -451,14 +525,8 @@ let generate_keypair in let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = - Libcrux_ml_kem.Ind_cpa.generate_keypair v_K - v_CPA_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - #v_Vector - #v_Hasher + Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme ind_cpa_keypair_randomness in let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = @@ -476,7 +544,7 @@ let generate_keypair #FStar.Tactics.Typeclasses.solve secret_key_serialized in - Libcrux_ml_kem.Types.impl_18__from v_PRIVATE_KEY_SIZE + Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE private_key (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 69d9a3cbd..0ae396fd2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -8,6 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -39,13 +40,10 @@ val serialize_kem_secret_key (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) )) -/// Implements [`Variant`], to perform the ML-KEM-specific actions -/// during encapsulation and decapsulation. -/// Specifically, -/// * during encapsulation, the initial randomness is used without prior hashing, -/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext. -type t_MlKem = | MlKem : t_MlKem - +/// Validate an ML-KEM public key. +/// This implements the Modulus check in 7.2 2. +/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the +/// `public_key` type. val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) @@ -58,153 +56,21 @@ val validate_public_key v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) -/// This trait collects differences in specification between ML-KEM -/// (Draft FIPS 203) and the Round 3 CRYSTALS-Kyber submission in the -/// NIST PQ competition. -/// cf. FIPS 203 (Draft), section 1.3 -class t_Variant (v_Self: Type0) = { - f_kdf_pre: - v_K: usize -> - v_CIPHERTEXT_SIZE: usize -> - #v_Hasher: Type0 -> - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> pred: Type0{(Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32 ==> pred}; - f_kdf_post: - v_K: usize -> - v_CIPHERTEXT_SIZE: usize -> - #v_Hasher: Type0 -> - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == shared_secret}; - f_kdf: - v_K: usize -> - v_CIPHERTEXT_SIZE: usize -> - #v_Hasher: Type0 -> - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - x0: t_Slice u8 -> - x1: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> Prims.Pure (t_Array u8 (sz 32)) - (f_kdf_pre v_K v_CIPHERTEXT_SIZE #v_Hasher #i1 x0 x1) - (fun result -> f_kdf_post v_K v_CIPHERTEXT_SIZE #v_Hasher #i1 x0 x1 result); - f_entropy_preprocess_pre: - v_K: usize -> - #v_Hasher: Type0 -> - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 randomness <: usize) =. sz 32 ==> pred}; - f_entropy_preprocess_post: - v_K: usize -> - #v_Hasher: Type0 -> - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - t_Slice u8 -> - t_Array u8 (sz 32) - -> Type0; - f_entropy_preprocess: - v_K: usize -> - #v_Hasher: Type0 -> - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - x0: t_Slice u8 - -> Prims.Pure (t_Array u8 (sz 32)) - (f_entropy_preprocess_pre v_K #v_Hasher #i3 x0) - (fun result -> f_entropy_preprocess_post v_K #v_Hasher #i3 x0 result) -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: t_Variant t_MlKem = - { - f_kdf_pre - = - (fun - (v_K: usize) - (v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (shared_secret: t_Slice u8) - (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - -> - (Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32); - f_kdf_post - = - (fun - (v_K: usize) - (v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (shared_secret: t_Slice u8) - (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (out: t_Array u8 (sz 32)) - -> - out == shared_secret); - f_kdf - = - (fun - (v_K: usize) - (v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (shared_secret: t_Slice u8) - (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - -> - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - shared_secret - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)); - f_entropy_preprocess_pre - = - (fun - (v_K: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (randomness: t_Slice u8) - -> - (Core.Slice.impl__len #u8 randomness <: usize) =. sz 32); - f_entropy_preprocess_post - = - (fun - (v_K: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (randomness: t_Slice u8) - (out: t_Array u8 (sz 32)) - -> - true); - f_entropy_preprocess - = - fun - (v_K: usize) +/// Validate an ML-KEM private key. +/// This implements the Hash check in 7.3 3. +/// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` +/// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (randomness: t_Slice u8) - -> - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - randomness - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - } + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) /// This code verifies on some machines, runs out of memory on others val decapsulate @@ -213,7 +79,7 @@ val decapsulate (#v_Vector #v_Hasher #v_Scheme: Type0) {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: t_Variant v_Scheme |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) @@ -245,7 +111,7 @@ val encapsulate (#v_Vector #v_Hasher #v_Scheme: Type0) {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: t_Variant v_Scheme |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) @@ -276,9 +142,10 @@ val encapsulate val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) (requires diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti index f386e8df7..a0ce84565 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti @@ -14,6 +14,32 @@ type t_IndCpaPrivateKeyUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K } +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPrivateKeyUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_secret_as_ntt + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + } + <: + t_IndCpaPrivateKeyUnpacked v_K v_Vector + } + /// An unpacked ML-KEM IND-CPA Private Key type t_IndCpaPublicKeyUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -22,3 +48,41 @@ type t_IndCpaPublicKeyUnpacked f_seed_for_A:t_Array u8 (sz 32); f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_IndCpaPublicKeyUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPublicKeyUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_t_as_ntt + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K; + f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32); + f_A + = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO + #v_Vector + () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + v_K + } + <: + t_IndCpaPublicKeyUnpacked v_K v_Vector + } diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index 7aff6f7ed..5bb6b9214 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -7,6 +7,8 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -27,7 +29,7 @@ let sample_ring_element_cbd v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -108,18 +110,10 @@ let sample_vector_cbd_then_ntt (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) = - let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in let v__domain_separator_init:u8 = domain_separator in let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = @@ -189,6 +183,46 @@ let sample_vector_cbd_then_ntt in re_as_ntt) in + let result:u8 = domain_separator in + let _:Prims.unit = admit () (* Panic freedom *) in + let hax_temp_output:u8 = result in + re_as_ntt, hax_temp_output + <: + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + +let sample_vector_cbd_then_ntt_out + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + = + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = + sample_vector_cbd_then_ntt v_K + v_ETA + v_ETA_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + re_as_ntt + prf_input + domain_separator + in + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = tmp0 in + let domain_separator:u8 = out in let result:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = re_as_ntt, domain_separator <: @@ -197,8 +231,6 @@ let sample_vector_cbd_then_ntt let _:Prims.unit = admit () (* Panic freedom *) in result -#push-options "--z3rlimit 200" - let compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) (#v_Vector: Type0) @@ -219,7 +251,9 @@ let compress_then_serialize_u (fun out i -> let out:t_Slice u8 = out in let i:usize = i in - (Core.Slice.impl__len #u8 out <: usize) =. v_OUT_LEN <: bool) + v i < v v_K ==> + (Seq.length out == v v_OUT_LEN /\ + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input (v i)))) out (fun out temp_1_ -> let out:t_Slice u8 = out in @@ -263,8 +297,6 @@ let compress_then_serialize_u let hax_temp_output:Prims.unit = result in out -#pop-options - #push-options "--admit_smt_queries true" let deserialize_then_decompress_u @@ -280,7 +312,7 @@ let deserialize_then_decompress_u v_K (fun temp_0_ -> let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -342,7 +374,7 @@ let deserialize_secret_key v_K (fun temp_0_ -> let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -439,7 +471,7 @@ let serialize_secret_key #pop-options -let serialize_public_key +let serialize_public_key_mut (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -447,17 +479,15 @@ let serialize_public_key Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) = - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range public_key_serialized + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 - (public_key_serialized.[ { + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } @@ -471,13 +501,13 @@ let serialize_public_key <: t_Slice u8) in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from public_key_serialized + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } <: Core.Ops.Range.t_RangeFrom usize) (Core.Slice.impl__copy_from_slice #u8 - (public_key_serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } <: Core.Ops.Range.t_RangeFrom usize ] <: @@ -486,6 +516,30 @@ let serialize_public_key <: t_Slice u8) in + let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in + serialized + +let serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + = + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + tt_as_ntt + seed_for_a + public_key_serialized + in let result:t_Array u8 v_PUBLIC_KEY_SIZE = public_key_serialized in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -578,7 +632,13 @@ let encrypt_unpacked let r_as_ntt, domain_separator:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = - sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher prf_input 0uy + sample_vector_cbd_then_ntt_out v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + prf_input + 0uy in let error_1_, domain_separator:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & @@ -675,42 +735,44 @@ let encrypt (message: t_Array u8 (sz 32)) (randomness: t_Slice u8) = - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K - #v_Vector - (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + #v_Vector + (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeTo usize ] <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) + t_Slice u8) + unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in let seed:t_Slice u8 = public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE } <: Core.Ops.Range.t_RangeFrom usize ] in - let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) - false - in - let (seed_for_A: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - in - let public_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = { - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = tt_as_ntt; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A = seed_for_A + unpacked_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) + false } <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector @@ -718,50 +780,72 @@ let encrypt let result:t_Array u8 v_CIPHERTEXT_SIZE = encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher public_key_unpacked message randomness + v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness in let _:Prims.unit = admit () (* Panic freedom *) in result let generate_keypair_unpacked (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K + Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme #FStar.Tactics.Typeclasses.solve + v_K + #v_Hasher key_generation_seed in let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32) in - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) - true + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) + true + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error in - let secret_as_ntt, domain_separator:(t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher prf_input 0uy + let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = + sample_vector_cbd_then_ntt v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + prf_input + 0uy + in + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector in + let domain_separator:u8 = out in let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8 ) = - sample_vector_cbd_then_ntt v_K + sample_vector_cbd_then_ntt_out v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector @@ -769,77 +853,96 @@ let generate_keypair_unpacked prf_input domain_separator in - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Matrix.compute_As_plus_e v_K #v_Vector v_A_transpose secret_as_ntt error_as_ntt - in - let (seed_for_A: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - in - let pk:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = { - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = tt_as_ntt; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A_transpose; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A = seed_for_A + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Matrix.compute_As_plus_e v_K + #v_Vector + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + error_as_ntt } <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let sk:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector - in - let result:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = - sk, pk + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } <: - (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let _:Prims.unit = admit () (* Panic freedom *) in - result + let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in + private_key, public_key + <: + (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (key_generation_seed: t_Slice u8) = - let sk, pk:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector + ) + #FStar.Tactics.Typeclasses.solve + () + in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let tmp0, tmp1:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = generate_keypair_unpacked v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher + #v_Scheme key_generation_seed + private_key + public_key in + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = tmp0 in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = tmp1 in + let _:Prims.unit = () in let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = serialize_public_key v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE #v_Vector - pk.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (pk.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) in let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = serialize_secret_key v_K v_PRIVATE_KEY_SIZE #v_Vector - sk.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt in let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = secret_key_serialized, public_key_serialized diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index edacb43f3..11fd6f8e5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -7,6 +7,8 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -31,6 +33,7 @@ val sample_vector_cbd_then_ntt (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) @@ -40,12 +43,37 @@ val sample_vector_cbd_then_ntt range (v domain_separator + v v_K) u8_inttype) (ensures fun temp_0_ -> - let x, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + let re_as_ntt_future, ds:(t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = + temp_0_ + in + v ds == v domain_separator + v v_K /\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt_future == + Spec.MLKEM.sample_vector_cbd_then_ntt #v_K + (Seq.slice prf_input 0 32) + (sz (v domain_separator))) + +val sample_vector_cbd_then_ntt_out + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + (requires + Spec.MLKEM.is_rank v_K /\ v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA == Spec.MLKEM.v_ETA1 v_K /\ v domain_separator < 2 * v v_K /\ + range (v domain_separator + v v_K) u8_inttype) + (ensures + fun temp_0_ -> + let re, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = temp_0_ in v ds == v domain_separator + v v_K /\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector x == + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re == Spec.MLKEM.sample_vector_cbd_then_ntt #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator))) @@ -61,7 +89,10 @@ val compress_then_serialize_u (requires Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ Core.Slice.impl__len #u8 out == v_OUT_LEN) + v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ Core.Slice.impl__len #u8 out == v_OUT_LEN /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input i))) (ensures fun out_future -> let out_future:t_Slice u8 = out_future in @@ -120,6 +151,27 @@ val serialize_secret_key Spec.MLKEM.vector_encode_12 #v_K (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32) + (ensures + fun serialized_future -> + let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in + serialized_future == + Seq.append (Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) + seed_for_a) + /// Concatenate `t` and `ρ` into the public key. val serialize_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -310,24 +362,29 @@ val encrypt /// . val generate_keypair_unpacked (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) (requires Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K) + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) (fun _ -> Prims.l_True) val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (key_generation_seed: t_Slice u8) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) (requires diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst index fc12208e9..49cb21598 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -315,7 +315,7 @@ let invert_ntt_montgomery let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_1__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index d407bc44c..276b16735 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -16,94 +16,94 @@ let compute_As_plus_e (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (matrix_A: t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (s_as_ntt error_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Folds.fold_enumerated_slice (matrix_A <: t_Slice (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + tt_as_ntt in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + tt_as_ntt + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + tt_as_ntt in let i, row:(usize & t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = temp_1_ in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt + i + (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Folds.fold_enumerated_slice (row <: t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + tt_as_ntt in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + tt_as_ntt + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + tt_as_ntt in let j, matrix_element:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector matrix_element (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K - (result.[ i ] + (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) product <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - result) + tt_as_ntt) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_1__add_standard_error_reduce #v_Vector - (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector + (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - result) + tt_as_ntt) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = result in + let result:Prims.unit = () <: Prims.unit in let _:Prims.unit = admit () (* Panic freedom *) in - result + let hax_temp_output:Prims.unit = result in + tt_as_ntt let compute_ring_element_v (v_K: usize) @@ -115,7 +115,7 @@ let compute_ring_element_v (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -129,12 +129,12 @@ let compute_ring_element_v let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (r_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product in result) in @@ -142,7 +142,7 @@ let compute_ring_element_v Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__add_message_error_reduce #v_Vector error_2_ message result + Libcrux_ml_kem.Polynomial.impl_2__add_message_error_reduce #v_Vector error_2_ message result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let _:Prims.unit = admit () (* Panic freedom *) in @@ -163,7 +163,7 @@ let compute_vector_u v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -208,7 +208,7 @@ let compute_vector_u temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector a_element (r_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -216,7 +216,7 @@ let compute_vector_u v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K (result.[ i ] <: @@ -239,7 +239,7 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_1__add_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl_2__add_error_reduce #v_Vector (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -262,7 +262,7 @@ let compute_message t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -276,12 +276,12 @@ let compute_message let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product in result) in @@ -289,7 +289,7 @@ let compute_message Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__subtract_reduce #v_Vector v result + Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let _:Prims.unit = admit () (* Panic freedom *) in @@ -304,25 +304,11 @@ let sample_matrix_A (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (seed: t_Array u8 (sz 34)) (transpose: bool) = - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - v_K - (fun v__i -> - let v__i:usize = v__i in - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__j -> - let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in let v_A_transpose:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -431,9 +417,7 @@ let sample_matrix_A in v_A_transpose)) in - let result:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K - = - v_A_transpose - in + let result:Prims.unit = () <: Prims.unit in let _:Prims.unit = admit () (* Panic freedom *) in - result + let hax_temp_output:Prims.unit = result in + v_A_transpose diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index ac11905d4..6947cb795 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -15,6 +15,7 @@ val compute_As_plus_e (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (matrix_A: t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (s_as_ntt error_as_ntt: @@ -22,10 +23,13 @@ val compute_As_plus_e : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (requires Spec.MLKEM.is_rank v_K) (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + fun tt_as_ntt_future -> + let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + tt_as_ntt_future + in let open Libcrux_ml_kem.Polynomial in - to_spec_vector_t res = + to_spec_vector_t tt_as_ntt_future = Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A) (to_spec_vector_t s_as_ntt) (to_spec_vector_t error_as_ntt)) @@ -102,21 +106,23 @@ val sample_matrix_A (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (seed: t_Array u8 (sz 34)) (transpose: bool) : Prims.Pure (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (requires Spec.MLKEM.is_rank v_K) (ensures - fun res -> - let res:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - v_K = - res + fun v_A_transpose_future -> + let v_A_transpose_future:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose_future in let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in valid ==> (if transpose - then Libcrux_ml_kem.Polynomial.to_spec_matrix_t res == matrix_A + then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A else - Libcrux_ml_kem.Polynomial.to_spec_matrix_t res == Spec.MLKEM.matrix_transpose matrix_A - )) + Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == + Spec.MLKEM.matrix_transpose matrix_A)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index 3becfc426..1ed6cc3c1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate_unpacked (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate_unpacked (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair_unpacked (sz 4) + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) (sz 1536) - (sz 3168) (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 176cc9784..4f57bcb17 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// https://github.com/hacspec/hax/issues/770 -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index 2c782f7a5..8cab7c870 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem1024.Neon open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate_unpacked (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate_unpacked (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair_unpacked (sz 4) + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) (sz 1536) - (sz 3168) (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index ab4413e4d..d71f032a7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem1024.Neon open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -29,49 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// https://github.com/hacspec/hax/issues/770 -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index 92509e13b..60a05dcc1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem1024.Portable open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate_unpacked (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate_unpacked (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair_unpacked (sz 4) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) (sz 1536) - (sz 3168) (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index 8397ad5eb..9ce6a597e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem1024.Portable open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -29,49 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// https://github.com/hacspec/hax/issues/770 -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index ae991e1ab..c06297797 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -3,6 +3,22 @@ module Libcrux_ml_kem.Mlkem1024 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -39,18 +55,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index fd793d70a..fa7a134dd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -62,6 +62,18 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -110,10 +122,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) - -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index 84c164f5d..d84c15890 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem512.Avx2 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -29,43 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate_unpacked (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate_unpacked (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair_unpacked (sz 2) + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) (sz 768) - (sz 1632) (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index 222fdaf4d..79530147b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem512.Avx2 open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -29,45 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 103a0efc1..58b2f0dc4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem512.Neon open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -29,43 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate_unpacked (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate_unpacked (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair_unpacked (sz 2) + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) (sz 768) - (sz 1632) (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 0bb4a418a..3d846ac51 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem512.Neon open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index d71d18276..97dccb937 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem512.Portable open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -29,44 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate_unpacked (sz 2) (sz 768) (sz 800) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate_unpacked (sz 2) (sz 1632) (sz 768) - (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) - (sz 128) (sz 800) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair_unpacked (sz 2) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) (sz 768) - (sz 1632) (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index f238d623b..eee7fb43d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem512.Portable open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index 3e97c4564..db5293cf8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -3,6 +3,22 @@ module Libcrux_ml_kem.Mlkem512 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -39,16 +55,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index ef6a7c30f..40a174dcb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -37,6 +37,18 @@ let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -85,10 +97,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem512_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) - -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index aa6931d6c..3ec064b3f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem768.Avx2 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate_unpacked (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate_unpacked (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair_unpacked (sz 3) + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index dbf416647..0b2855263 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem768.Avx2 open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -29,45 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index 2846f5a89..4608a3923 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem768.Neon open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate_unpacked (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate_unpacked (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair_unpacked (sz 3) + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index d9968514d..1b4e3414d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem768.Neon open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index 2f77deb3b..d98e44837 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem768.Portable open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate_unpacked (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate_unpacked (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair_unpacked (sz 3) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index 0edff9a45..c14954e5d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem768.Portable open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 3fa153282..235881a7e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -3,6 +3,22 @@ module Libcrux_ml_kem.Mlkem768 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -39,18 +55,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index 9e2339b6f..34bfea335 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -62,6 +62,18 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -110,10 +122,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem768_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) - -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index 702b82a42..da6a5be15 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -378,7 +378,7 @@ let ntt_binomially_sampled_ring_element let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_1__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -437,7 +437,7 @@ let ntt_vector_u let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_1__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 002d025eb..14065e04f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -14,7 +14,7 @@ let get_zeta (i: usize) = let _:Prims.unit = admit () (* Panic freedom *) in result -let impl_1__ZERO +let impl_2__ZERO (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -34,7 +34,7 @@ let impl_1__ZERO <: t_PolynomialRingElement v_Vector -let impl_1__add_error_reduce +let impl_2__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -85,7 +85,7 @@ let impl_1__add_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__add_message_error_reduce +let impl_2__add_message_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -142,7 +142,7 @@ let impl_1__add_message_error_reduce in result -let impl_1__add_standard_error_reduce +let impl_2__add_standard_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -191,7 +191,7 @@ let impl_1__add_standard_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__add_to_ring_element +let impl_2__add_to_ring_element (#v_Vector: Type0) (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -232,14 +232,14 @@ let impl_1__add_to_ring_element let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__from_i16_array +let impl_2__from_i16_array (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (a: t_Slice i16) = - let result:t_PolynomialRingElement v_Vector = impl_1__ZERO #v_Vector () in + let result:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -277,7 +277,7 @@ let impl_1__from_i16_array in result -let impl_1__ntt_multiply +let impl_2__ntt_multiply (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -285,7 +285,7 @@ let impl_1__ntt_multiply (self rhs: t_PolynomialRingElement v_Vector) = let _:Prims.unit = admit () in - let out:t_PolynomialRingElement v_Vector = impl_1__ZERO #v_Vector () in + let out:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in let out:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -321,7 +321,7 @@ let impl_1__ntt_multiply in out -let impl_1__poly_barrett_reduce +let impl_2__poly_barrett_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -360,7 +360,7 @@ let impl_1__poly_barrett_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__subtract_reduce +let impl_2__subtract_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index bca911ebe..ca8ac5ed8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -60,25 +60,25 @@ let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) -val impl_1__ZERO: +val impl_2__ZERO: #v_Vector: Type0 -> {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> Prims.unit -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__add_error_reduce +val impl_2__add_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__add_message_error_reduce +val impl_2__add_message_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self message result: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__add_standard_error_reduce +val impl_2__add_standard_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) @@ -86,14 +86,14 @@ val impl_1__add_standard_error_reduce /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise /// sum of their constituent coefficients. -val impl_1__add_to_ring_element +val impl_2__add_to_ring_element (#v_Vector: Type0) (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__from_i16_array +val impl_2__from_i16_array (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: t_Slice i16) @@ -122,19 +122,19 @@ val impl_1__from_i16_array /// this function are in the Montgomery domain. /// The NIST FIPS 203 standard can be found at /// . -val impl_1__ntt_multiply +val impl_2__ntt_multiply (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__poly_barrett_reduce +val impl_2__poly_barrett_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__subtract_reduce +val impl_2__subtract_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self b: t_PolynomialRingElement v_Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 4436feb62..0ed1d6ebd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -222,7 +222,7 @@ let sample_from_binomial_distribution_2_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_1__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) #pop-options @@ -303,7 +303,7 @@ let sample_from_binomial_distribution_3_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_1__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) #pop-options @@ -412,7 +412,7 @@ let sample_from_xof out (fun s -> let s:t_Array i16 (sz 272) = s in - Libcrux_ml_kem.Polynomial.impl_1__from_i16_array #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } <: Core.Ops.Range.t_Range usize ] diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index c0b67d1b7..3d92db16f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -9,7 +9,17 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -#push-options "--admit_smt_queries true" +let to_unsigned_field_modulus + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (a: v_Vector) + = + let _:Prims.unit = reveal_opaque (`%field_modulus_range) (field_modulus_range #v_Vector) in + let result:v_Vector = Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector a in + let _:Prims.unit = admit () (* Panic freedom *) in + result let compress_then_serialize_10_ (v_OUT_LEN: usize) @@ -19,23 +29,29 @@ let compress_then_serialize_10_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + let _:Prims.unit = assert_norm (pow2 10 == 1024) in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> + (fun serialized i -> let serialized:t_Array u8 v_OUT_LEN = serialized in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) serialized (fun serialized i -> let serialized:t_Array u8 v_OUT_LEN = serialized in let i:usize = i in + let _:Prims.unit = assert (20 * v i + 20 <= 320) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 10l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -68,9 +84,9 @@ let compress_then_serialize_10_ in serialized) in - serialized - -#pop-options + let result:t_Array u8 v_OUT_LEN = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result #push-options "--admit_smt_queries true" @@ -135,8 +151,6 @@ let compress_then_serialize_11_ #pop-options -#push-options "--admit_smt_queries true" - let compress_then_serialize_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -145,23 +159,29 @@ let compress_then_serialize_4_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let v__serialized_len:usize = Core.Slice.impl__len #u8 serialized in + let _:Prims.unit = assert_norm (pow2 4 == 16) in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT (fun serialized i -> let serialized:t_Slice u8 = serialized in let i:usize = i in - (Core.Slice.impl__len #u8 serialized <: usize) =. v__serialized_len <: bool) + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> + (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) serialized (fun serialized i -> let serialized:t_Slice u8 = serialized in let i:usize = i in + let _:Prims.unit = assert (8 * v i + 8 <= 128) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 4l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -194,11 +214,11 @@ let compress_then_serialize_4_ in serialized) in - let hax_temp_output:Prims.unit = () <: Prims.unit in + let result:Prims.unit = () <: Prims.unit in + let _:Prims.unit = admit () (* Panic freedom *) in + let hax_temp_output:Prims.unit = result in serialized -#pop-options - #push-options "--admit_smt_queries true" let compress_then_serialize_5_ @@ -209,14 +229,13 @@ let compress_then_serialize_5_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let v__serialized_len:usize = Core.Slice.impl__len #u8 serialized in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i:usize = i in - (Core.Slice.impl__len #u8 serialized <: usize) =. v__serialized_len <: bool) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Slice u8 = serialized in @@ -263,8 +282,6 @@ let compress_then_serialize_5_ #pop-options -#push-options "--admit_smt_queries true" - let compress_then_serialize_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -276,16 +293,21 @@ let compress_then_serialize_message let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun serialized temp_1_ -> + (fun serialized i -> let serialized:t_Array u8 (sz 32) = serialized in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i < 16 ==> coefficients_field_modulus_range re) serialized (fun serialized i -> let serialized:t_Array u8 (sz 32) = serialized in let i:usize = i in + let _:Prims.unit = assert (2 * v i + 2 <= 32) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let coefficient_compressed:v_Vector = @@ -321,9 +343,9 @@ let compress_then_serialize_message in serialized) in - serialized - -#pop-options + let result:t_Array u8 (sz 32) = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result let compress_then_serialize_ring_element_u (v_COMPRESSION_FACTOR v_OUT_LEN: usize) @@ -335,7 +357,8 @@ let compress_then_serialize_ring_element_u = let _:Prims.unit = assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) + (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) in match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re @@ -357,7 +380,8 @@ let compress_then_serialize_ring_element_v = let _:Prims.unit = assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) + (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) in let out, hax_temp_output:(t_Slice u8 & Prims.unit) = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with @@ -385,7 +409,7 @@ let deserialize_then_decompress_10_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let v__coefficients_length:usize = Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) @@ -439,7 +463,7 @@ let deserialize_then_decompress_11_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) @@ -490,7 +514,7 @@ let deserialize_then_decompress_4_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) @@ -541,7 +565,7 @@ let deserialize_then_decompress_5_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) @@ -593,8 +617,6 @@ let deserialize_then_decompress_5_ in re -#push-options "--admit_smt_queries true" - let deserialize_then_decompress_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -603,7 +625,7 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) = let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -645,9 +667,9 @@ let deserialize_then_decompress_message in re) in - re - -#pop-options + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result let deserialize_then_decompress_ring_element_u (v_COMPRESSION_FACTOR: usize) @@ -691,8 +713,6 @@ let deserialize_then_decompress_ring_element_v <: Rust_primitives.Hax.t_Never) -#push-options "--admit_smt_queries true" - let deserialize_to_reduced_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -702,7 +722,7 @@ let deserialize_to_reduced_ring_element = let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -739,9 +759,9 @@ let deserialize_to_reduced_ring_element in re) in - re - -#pop-options + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result let deserialize_ring_elements_reduced (v_K: usize) @@ -750,16 +770,8 @@ let deserialize_ring_elements_reduced i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT public_key @@ -785,6 +797,29 @@ let deserialize_ring_elements_reduced <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in + let hax_temp_output:Prims.unit = () <: Prims.unit in + deserialized_pk + +let deserialize_ring_elements_reduced_out + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: t_Slice u8) + = + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk + in deserialized_pk let deserialize_to_uncompressed_ring_element @@ -796,7 +831,7 @@ let deserialize_to_uncompressed_ring_element = let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -829,8 +864,6 @@ let deserialize_to_uncompressed_ring_element in re -#push-options "--admit_smt_queries true" - let serialize_uncompressed_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -838,20 +871,26 @@ let serialize_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + let _:Prims.unit = assert_norm (pow2 12 == 4096) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> + (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) serialized (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in let i:usize = i in + let _:Prims.unit = assert (24 * v i + 24 <= 384) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let bytes:t_Array u8 (sz 24) = @@ -882,6 +921,6 @@ let serialize_uncompressed_ring_element in serialized) in - serialized - -#pop-options + let result:t_Array u8 (sz 384) = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 4f60485f0..2d1d64184 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -9,19 +9,50 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +[@@ "opaque_to_smt"] +let field_modulus_range (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a: v_Vector) = + let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /\ + v (Seq.index coef i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + +[@@ "opaque_to_smt"] +let coefficients_field_modulus_range (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i) + +val to_unsigned_field_modulus + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a: v_Vector) + : Prims.Pure v_Vector + (requires field_modulus_range a) + (ensures + fun result -> + let result:v_Vector = result in + forall (i: nat). + i < 16 ==> + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < + v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + val compress_then_serialize_10_ (v_OUT_LEN: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) (requires v_OUT_LEN =. sz 320) (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) val compress_then_serialize_11_ (v_OUT_LEN: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) (requires v_OUT_LEN =. sz 352) (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_4_ (#v_Vector: Type0) @@ -29,8 +60,11 @@ val compress_then_serialize_4_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) - (fun _ -> Prims.l_True) + (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) + (ensures + fun serialized_future -> + let serialized_future:t_Slice u8 = serialized_future in + Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) val compress_then_serialize_5_ (#v_Vector: Type0) @@ -39,13 +73,18 @@ val compress_then_serialize_5_ (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) - (fun _ -> Prims.l_True) + (ensures + fun serialized_future -> + let serialized_future:t_Slice u8 = serialized_future in + Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) val compress_then_serialize_message (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) + (requires coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) val compress_then_serialize_ring_element_u (v_COMPRESSION_FACTOR v_OUT_LEN: usize) @@ -54,8 +93,8 @@ val compress_then_serialize_ring_element_u (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (t_Array u8 v_OUT_LEN) (requires - (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && - v_OUT_LEN =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) (fun _ -> Prims.l_True) val compress_then_serialize_ring_element_v @@ -66,9 +105,9 @@ val compress_then_serialize_ring_element_v (out: t_Slice u8) : Prims.Pure (t_Slice u8) (requires - (v_COMPRESSION_FACTOR =. sz 4 || v_COMPRESSION_FACTOR =. sz 5) && - v_OUT_LEN =. (sz 32 *! v_COMPRESSION_FACTOR <: usize) && - (Core.Slice.impl__len #u8 out <: usize) =. v_OUT_LEN) + (v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ Seq.length out == v v_OUT_LEN /\ + coefficients_field_modulus_range re) (ensures fun out_future -> let out_future:t_Slice u8 = out_future in @@ -148,10 +187,23 @@ val deserialize_to_reduced_ring_element Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) (fun _ -> Prims.l_True) +/// See [deserialize_ring_elements_reduced_out]. +val deserialize_ring_elements_reduced + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ + Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + (fun _ -> Prims.l_True) + /// This function deserializes ring elements and reduces the result by the field /// modulus. /// This function MUST NOT be used on secret inputs. -val deserialize_ring_elements_reduced +val deserialize_ring_elements_reduced_out (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -176,4 +228,6 @@ val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 384)) + (requires coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 8a875c82a..75ff693ea 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -3,25 +3,25 @@ module Libcrux_ml_kem.Types open Core open FStar.Mul -let impl_5__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_11__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_17__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_5__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value +let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value -let impl_11__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value +let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value -let impl_17__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value +let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value -let impl_18__from +let impl_21__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_18__into_parts +let impl_21__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = @@ -29,7 +29,7 @@ let impl_18__into_parts <: (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -let impl_18__new +let impl_21__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -51,22 +51,22 @@ let impl_18__new <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_18__pk +let impl_21__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_17__as_slice v_PUBLIC_KEY_SIZE self.f_pk + = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk -let impl_18__private_key +let impl_21__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_sk -let impl_18__public_key +let impl_21__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_pk -let impl_18__sk +let impl_21__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_11__as_slice v_PRIVATE_KEY_SIZE self.f_sk + = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index bdc6f41fb..4435312b0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -4,22 +4,33 @@ open Core open FStar.Mul /// The number of bytes -val impl_5__len: v_SIZE: usize -> Prims.unit +val impl_6__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_11__len: v_SIZE: usize -> Prims.unit +val impl_13__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_17__len: v_SIZE: usize -> Prims.unit +val impl_20__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); @@ -27,7 +38,7 @@ let impl (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Sl } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -35,7 +46,7 @@ let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -48,7 +59,7 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = +let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = { f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true); f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -56,7 +67,7 @@ let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip } /// A reference to the raw byte slice. -val impl_5__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) +val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (ensures @@ -68,7 +79,18 @@ val impl_5__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_6 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); @@ -76,7 +98,7 @@ let impl_6 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -84,7 +106,7 @@ let impl_7 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -97,7 +119,7 @@ let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = +let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -105,7 +127,7 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPri } /// A reference to the raw byte slice. -val impl_11__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) +val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (ensures @@ -117,7 +139,18 @@ val impl_11__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_12 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); @@ -125,7 +158,7 @@ let impl_12 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_13 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -133,7 +166,7 @@ let impl_13 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -146,7 +179,7 @@ let impl_14 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = +let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -154,7 +187,7 @@ let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu } /// A reference to the raw byte slice. -val impl_17__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) +val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (ensures @@ -163,7 +196,7 @@ val impl_17__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) result == self.f_value) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -194,7 +227,7 @@ let impl_4 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) ( } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -225,7 +258,7 @@ let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_16 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -262,7 +295,7 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { } /// Create a new [`MlKemKeyPair`] from the secret and public key. -val impl_18__from +val impl_21__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -274,7 +307,7 @@ val impl_18__from result.f_sk == sk /\ result.f_pk == pk) /// Separate this key into the public and private key. -val impl_18__into_parts +val impl_21__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -282,7 +315,7 @@ val impl_18__into_parts (fun _ -> Prims.l_True) /// Creates a new [`MlKemKeyPair`]. -val impl_18__new +val impl_21__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -291,25 +324,25 @@ val impl_18__new (fun _ -> Prims.l_True) /// Get a reference to the raw public key bytes. -val impl_18__pk +val impl_21__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPrivateKey`]. -val impl_18__private_key +val impl_21__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPublicKey`]. -val impl_18__public_key +val impl_21__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the raw private key bytes. -val impl_18__sk +val impl_21__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 51a1a9da7..5ab43253f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -11,7 +11,6 @@ let _ = () [@@"opaque_to_smt"] - let deserialize_1___deserialize_1_i16s (a b: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a @@ -28,7 +27,6 @@ let deserialize_1___deserialize_1_i16s (a b: i16) = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb [@@"opaque_to_smt"] - let deserialize_1___deserialize_1_u8s (a b: u8) = deserialize_1___deserialize_1_i16s (cast (a <: u8) <: i16) (cast (b <: u8) <: i16) @@ -38,7 +36,6 @@ let deserialize_1_ (bytes: t_Slice u8) = deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8) [@@"opaque_to_smt"] - let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b7 b7 b6 b6 b5 b5 b4 b4 b3 b3 b2 b2 b1 b1 b0 b0 @@ -62,7 +59,6 @@ let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = Libcrux_intrinsics.Avx2_extract.t_Vec256) [@@"opaque_to_smt"] - let deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) = deserialize_4___deserialize_4_i16s (cast (b0 <: u8) <: i16) (cast (b1 <: u8) <: i16) @@ -169,6 +165,48 @@ let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V #push-options "--ext context_pruning --split_queries always" +let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_concat_pairs_n 12uy vector + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 8l 0l 8l 0l 8l 0l 8l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 8l adjacent_4_combined + in + let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y + 5y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y 5y 4y 3y 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined + in + let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined + in + let _:Prims.unit = + introduce forall (i: nat{i < 96}) . lower_8_ i = vector ((i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 + (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); + introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 + (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) + in + lower_8_, upper_8_ + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + +#pop-options + +#push-options "--ext context_pruning --split_queries always" + let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) = @@ -224,37 +262,13 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options +#push-options "--ext context_pruning --split_queries always" + let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & + Libcrux_intrinsics.Avx2_extract.t_Vec128) = + temp_0_ + in + forall (i: nat{i < 192}). + vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96))) + val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 20)) (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) @@ -142,7 +155,12 @@ val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 24)) + (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) + (ensures + fun r -> + let r:t_Array u8 (sz 24) = r in + forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12)) val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index 0596f5482..3217ddbc2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -10,6 +10,7 @@ let _ = () noeq + type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements @@ -203,11 +204,20 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_compress_1_pre = (fun (vector: t_SIMD256Vector) -> true); - f_compress_1_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_compress_1_pre + = + (fun (vector: t_SIMD256Vector) -> + forall (i: nat). + i < 16 ==> + v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329); + f_compress_1_post + = + (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> + forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); f_compress_1_ = (fun (vector: t_SIMD256Vector) -> + let _:Prims.unit = admit () in { f_elements = @@ -218,14 +228,23 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> + v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329 + )); f_compress_post = - (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) ==> + (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) + ); f_compress = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> + let _:Prims.unit = admit () in { f_elements = @@ -442,7 +461,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_1_ = (fun (vector: t_SIMD256Vector) -> - admit (); Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements); f_deserialize_1_pre = @@ -454,7 +472,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_1_ = (fun (bytes: t_Slice u8) -> - admit (); { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst index 1d8993c9e..8bda725bd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -22,78 +22,146 @@ let compress_message_coefficient (fe: u16) = let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 +#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" + let compress (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let _:Prims.unit = + assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS); + assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS) + in + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> + (cast (a.f_elements.[ sz i ]) <: u16) <. + (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + in + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun v temp_1_ -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in - let _:usize = temp_1_ in - true) - v - (fun v i -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + let i:usize = i in + (v i < 16 ==> + (forall (j: nat). + (j >= v i /\ j < 16) ==> + v (cast (a.f_elements.[ sz j ]) <: u16) < + v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ + (forall (j: nat). + j < v i ==> + v (a.f_elements.[ sz j ] <: i16) >= 0 /\ + v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) + a + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - { - v with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) - (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - u16) - <: - i16) + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + a with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + u16) + <: + i16) + } <: - t_Array i16 (sz 16) - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let _:Prims.unit = + assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ + v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) + in + a) in - v + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> + v (a.f_elements.[ sz i ] <: i16) >= 0 /\ + v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) + in + a -let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +#pop-options + +#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" + +let compress_message_coefficient_range_helper (fe: u16) : Lemma + (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ + v (cast (compress_message_coefficient fe) <: i16) < 2) = + assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ + v (cast (compress_message_coefficient fe) <: i16) < 2) + +let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> + (cast (a.f_elements.[ sz i ]) <: u16) <. + (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + in + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun v temp_1_ -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in - let _:usize = temp_1_ in - true) - v - (fun v i -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + let i:usize = i in + (v i < 16 ==> + (forall (j: nat). + (j >= v i /\ j < 16) ==> + v (cast (a.f_elements.[ sz j ]) <: u16) < + v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ + (forall (j: nat). + j < v i ==> + v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) + a + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - { - v with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (cast (compress_message_coefficient (cast (v - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - <: - u16) - <: - u8) - <: - i16) + let _:Prims.unit = + compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) + in + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + a with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (compress_message_coefficient (cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) + <: + u8) + <: + i16) + } <: - t_Array i16 (sz 16) - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let _:Prims.unit = + assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) + in + a) in - v + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) + in + a + +#pop-options let decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti index 4a89ca30f..938330976 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -47,15 +47,32 @@ val compress_message_coefficient (fe: u16) val compress (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) + (requires + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329)) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + forall (i: nat). + i < 16 ==> + v (result.f_elements.[ sz i ] <: i16) >= 0 /\ + v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) -val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) + (requires + forall (i: nat). + i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + forall (i: nat). + i < 16 ==> + v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index b676b472e..37ca063e4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -418,6 +418,9 @@ let deserialize_1_lemma inputs = #pop-options +let deserialize_1_bounded_lemma inputs = + admit() + let deserialize_10_ (bytes: t_Slice u8) = let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } @@ -469,6 +472,9 @@ let deserialize_10_lemma inputs = #pop-options +let deserialize_10_bounded_lemma inputs = + admit() + let deserialize_12_ (bytes: t_Slice u8) = let v0_1_:(i16 & i16) = deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } @@ -562,6 +568,9 @@ let deserialize_12_lemma inputs = #pop-options +let deserialize_12_bounded_lemma inputs = + admit() + let deserialize_4_ (bytes: t_Slice u8) = let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } @@ -613,6 +622,9 @@ let deserialize_4_lemma inputs = #pop-options +let deserialize_4_bounded_lemma inputs = + admit() + let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let result0:u8 = (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti index 856f8399d..97118a4cc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti @@ -77,6 +77,9 @@ val deserialize_1_ (v: t_Slice u8) val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) +val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1) + val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 20) @@ -85,6 +88,9 @@ val deserialize_10_ (bytes: t_Slice u8) val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) +val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) + val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 24) @@ -93,6 +99,9 @@ val deserialize_12_ (bytes: t_Slice u8) val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) +val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) + val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 8) @@ -101,6 +110,9 @@ val deserialize_4_ (bytes: t_Slice u8) val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) +val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4) + val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 6800ca944..2c4690115 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -224,41 +224,49 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r); f_compress_1_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + forall (i: nat). + i < 16 ==> v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329); f_compress_1_post = (fun - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - true); + forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); f_compress_1_ = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ a); f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> + v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329)); f_compress_post = (fun (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - true); + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) ==> + (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) + ); f_compress = (fun (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v); + Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS a); f_decompress_ciphertext_coefficient_pre = (fun @@ -499,6 +507,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a); f_serialize_4_pre = @@ -529,6 +538,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a); f_serialize_5_pre = @@ -577,6 +587,9 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in + let _:Prims.unit = + Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a + in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a); f_serialize_11_pre = @@ -625,6 +638,9 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in + let _:Prims.unit = + Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a + in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a); f_rej_sample_pre = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index a4328b6ad..31c67d6b2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -3,7 +3,7 @@ module Libcrux_ml_kem.Vector.Traits open Core open FStar.Mul -#push-options "--z3rlimit 50" +#push-options "--z3rlimit 100" let decompress_1_ (#v_T: Type0) @@ -14,20 +14,25 @@ let decompress_1_ let _:Prims.unit = assert (forall i. Seq.index (i1._super_8706949974463268012.f_repr z) i == 0s) in - let s:v_T = f_sub #v_T #FStar.Tactics.Typeclasses.solve z vec in let _:Prims.unit = assert (forall i. - Seq.index (i1._super_8706949974463268012.f_repr s) i == 0s \/ - Seq.index (i1._super_8706949974463268012.f_repr s) i == (-1s)) + let x = Seq.index (i1._super_8706949974463268012.f_repr vec) i in + ((0 - v x) == 0 \/ (0 - v x) == - 1)) in - let _:Prims.unit = assert (i1.f_bitwise_and_with_constant_pre s 1665s) in - let res:v_T = f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s in + let _:Prims.unit = + assert (forall i. + i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (0 - v (Seq.index (i1._super_8706949974463268012.f_repr vec) i))) + in + let s:v_T = f_sub #v_T #FStar.Tactics.Typeclasses.solve z vec in let _:Prims.unit = assert (forall i. Seq.index (i1._super_8706949974463268012.f_repr s) i == 0s \/ - Seq.index (i1._super_8706949974463268012.f_repr s) i == 1665s) + Seq.index (i1._super_8706949974463268012.f_repr s) i == (-1s)) in - res + let _:Prims.unit = assert (i1.f_bitwise_and_with_constant_pre s 1665s) in + f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s #pop-options @@ -48,6 +53,8 @@ let to_standard_domain v v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS +#push-options "--admit_smt_queries true" + let to_unsigned_representative (#v_T: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) @@ -58,3 +65,5 @@ let to_unsigned_representative f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS in f_add #v_T #FStar.Tactics.Typeclasses.solve a fm + +#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index 9e1d121d7..e2a2bbbe4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -137,17 +137,32 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure v_Self (f_montgomery_multiply_by_constant_pre x0 x1) (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); - f_compress_1_pre:v: v_Self -> pred: Type0{true ==> pred}; - f_compress_1_post:v_Self -> v_Self -> Type0; + f_compress_1_pre:a: v_Self + -> pred: + Type0 + { (forall (i: nat). + i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> + pred }; + f_compress_1_post:a: v_Self -> result: v_Self + -> pred: Type0{pred ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) 1)}; f_compress_1_:x0: v_Self -> Prims.Pure v_Self (f_compress_1_pre x0) (fun result -> f_compress_1_post x0 result); - f_compress_pre:v_COEFFICIENT_BITS: i32 -> v: v_Self + f_compress_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self -> pred: Type0 - { v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l ==> + { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> pred }; - f_compress_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; + f_compress_post:v_COEFFICIENT_BITS: i32 -> a: v_Self -> result: v_Self + -> pred: + Type0 + { pred ==> + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) ==> + (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) (v v_COEFFICIENT_BITS)) + }; f_compress:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_compress_pre v_COEFFICIENT_BITS x0) @@ -383,16 +398,6 @@ class t_Operations (v_Self: Type0) = { (fun result -> f_rej_sample_post x0 x1 result) } -/// Internal vectors. -/// Used in the unpacked API. -class t_VectorType (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_14104493667227926613:t_Operations v_Self -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (#v_T: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) - : t_VectorType v_T = { _super_14104493667227926613 = FStar.Tactics.Typeclasses.solve } - let v_BARRETT_SHIFT: i32 = 26l let v_BARRETT_R: i32 = 1l < Prims.l_True) + (ensures + fun result -> + let result:v_T = result in + forall i. + (let x = Seq.index (i1._super_8706949974463268012.f_repr a) i in + let y = Seq.index (i1._super_8706949974463268012.f_repr result) i in + (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))) From ea45beaebeb965f99913f89118a7f1eab4d0f9a8 Mon Sep 17 00:00:00 2001 From: karthikbhargavan Date: Fri, 27 Sep 2024 04:55:16 +0000 Subject: [PATCH 19/19] fixed some hax issues, refreshed C code --- libcrux-ml-kem/c/code_gen.txt | 4 +- libcrux-ml-kem/c/internal/libcrux_core.h | 4 +- .../c/internal/libcrux_mlkem_avx2.h | 4 +- .../c/internal/libcrux_mlkem_portable.h | 4 +- libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h | 4 +- .../c/internal/libcrux_sha3_internal.h | 4 +- libcrux-ml-kem/c/libcrux_core.c | 4 +- libcrux-ml-kem/c/libcrux_core.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c | 24 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem512.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.c | 24 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem768.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.c | 24 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.h | 4 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.c | 390 ++++++++------ libcrux-ml-kem/c/libcrux_mlkem_avx2.h | 58 ++- libcrux-ml-kem/c/libcrux_mlkem_portable.c | 4 +- libcrux-ml-kem/c/libcrux_mlkem_portable.h | 4 +- libcrux-ml-kem/c/libcrux_sha3.h | 4 +- libcrux-ml-kem/c/libcrux_sha3_avx2.c | 4 +- libcrux-ml-kem/c/libcrux_sha3_avx2.h | 4 +- libcrux-ml-kem/c/libcrux_sha3_internal.h | 4 +- libcrux-ml-kem/c/libcrux_sha3_neon.c | 4 +- libcrux-ml-kem/c/libcrux_sha3_neon.h | 4 +- libcrux-ml-kem/cg/code_gen.txt | 4 +- libcrux-ml-kem/cg/libcrux_core.h | 4 +- libcrux-ml-kem/cg/libcrux_ct_ops.h | 4 +- libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h | 489 ++++++++++-------- .../cg/libcrux_mlkem768_avx2_types.h | 4 +- libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 36 +- .../cg/libcrux_mlkem768_portable_types.h | 4 +- libcrux-ml-kem/cg/libcrux_sha3_avx2.h | 4 +- libcrux-ml-kem/cg/libcrux_sha3_portable.h | 4 +- .../Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst | 9 +- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 6 + .../Libcrux_ml_kem.Vector.Traits.fst | 2 +- libcrux-ml-kem/src/vector/avx2/arithmetic.rs | 4 +- libcrux-ml-kem/src/vector/traits.rs | 2 +- 47 files changed, 713 insertions(+), 495 deletions(-) diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index dc4e2de87..7599cb2f1 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -2,5 +2,5 @@ This code was generated with the following revisions: Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 -F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd -Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 +F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 +Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index 159a636f7..31a212a7c 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __internal_libcrux_core_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 4e09fe0de..c4c213b73 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __internal_libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index e94b99f4e..def86cf8e 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __internal_libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 01f450745..95df92565 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index bf6cd4dc8..a57bfa85c 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __internal_libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index d429ee70b..bad4aa323 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "internal/libcrux_core.h" diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index 53e88573a..bc1f587a2 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index 2dd639ec9..63a7ab056 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index 3fca09119..1028b5ac1 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_mlkem1024_avx2.h" @@ -35,7 +35,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_510( +static void decapsulate_0c0( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_types_MlKemCiphertext_1f *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_ind_cca_decapsulate_7f0(private_key, ciphertext, ret); @@ -51,7 +51,7 @@ static void decapsulate_510( void libcrux_ml_kem_mlkem1024_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_types_MlKemCiphertext_1f *ciphertext, uint8_t ret[32U]) { - decapsulate_510(private_key, ciphertext, ret); + decapsulate_0c0(private_key, ciphertext, ret); } /** @@ -71,7 +71,7 @@ with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_d10( +static tuple_21 encapsulate_ae0( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; @@ -95,7 +95,7 @@ tuple_21 libcrux_ml_kem_mlkem1024_avx2_encapsulate( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_d10(uu____0, copy_of_randomness); + return encapsulate_ae0(uu____0, copy_of_randomness); } /** @@ -109,7 +109,7 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_b80( +static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_5a0( uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; @@ -125,7 +125,7 @@ libcrux_ml_kem_mlkem1024_avx2_generate_key_pair(uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_b80(copy_of_randomness); + return generate_keypair_5a0(copy_of_randomness); } /** @@ -136,7 +136,7 @@ generics - SECRET_KEY_SIZE= 3168 - CIPHERTEXT_SIZE= 1568 */ -static KRML_MUSTINLINE bool validate_private_key_650( +static KRML_MUSTINLINE bool validate_private_key_080( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_types_MlKemCiphertext_1f *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_700(private_key, @@ -151,7 +151,7 @@ static KRML_MUSTINLINE bool validate_private_key_650( bool libcrux_ml_kem_mlkem1024_avx2_validate_private_key( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_types_MlKemCiphertext_1f *ciphertext) { - return validate_private_key_650(private_key, ciphertext); + return validate_private_key_080(private_key, ciphertext); } /** @@ -162,7 +162,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1536 - PUBLIC_KEY_SIZE= 1568 */ -static KRML_MUSTINLINE bool validate_public_key_3e0(uint8_t *public_key) { +static KRML_MUSTINLINE bool validate_public_key_f60(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_520(public_key); } @@ -173,5 +173,5 @@ static KRML_MUSTINLINE bool validate_public_key_3e0(uint8_t *public_key) { */ bool libcrux_ml_kem_mlkem1024_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key) { - return validate_public_key_3e0(public_key->value); + return validate_public_key_f60(public_key->value); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index ae31b1f2d..dede724bf 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index f4fbc294f..bed205e56 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_mlkem1024_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index 1ab4a88d8..87b018021 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index ca35791e9..157226146 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index ca848abb4..8008c0304 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_mlkem512_avx2.h" @@ -35,7 +35,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_51(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, +static void decapsulate_0c(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_ind_cca_decapsulate_7f(private_key, ciphertext, ret); @@ -51,7 +51,7 @@ static void decapsulate_51(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, void libcrux_ml_kem_mlkem512_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_51(private_key, ciphertext, ret); + decapsulate_0c(private_key, ciphertext, ret); } /** @@ -71,7 +71,7 @@ with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_d1( +static tuple_ec encapsulate_ae( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; @@ -95,7 +95,7 @@ tuple_ec libcrux_ml_kem_mlkem512_avx2_encapsulate( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_d1(uu____0, copy_of_randomness); + return encapsulate_ae(uu____0, copy_of_randomness); } /** @@ -109,7 +109,7 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ -static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_b8( +static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_5a( uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; @@ -125,7 +125,7 @@ libcrux_ml_kem_mlkem512_avx2_generate_key_pair(uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_b8(copy_of_randomness); + return generate_keypair_5a(copy_of_randomness); } /** @@ -136,7 +136,7 @@ generics - SECRET_KEY_SIZE= 1632 - CIPHERTEXT_SIZE= 768 */ -static KRML_MUSTINLINE bool validate_private_key_65( +static KRML_MUSTINLINE bool validate_private_key_08( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_70(private_key, @@ -151,7 +151,7 @@ static KRML_MUSTINLINE bool validate_private_key_65( bool libcrux_ml_kem_mlkem512_avx2_validate_private_key( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext) { - return validate_private_key_65(private_key, ciphertext); + return validate_private_key_08(private_key, ciphertext); } /** @@ -162,7 +162,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 768 - PUBLIC_KEY_SIZE= 800 */ -static KRML_MUSTINLINE bool validate_public_key_3e(uint8_t *public_key) { +static KRML_MUSTINLINE bool validate_public_key_f6(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_52(public_key); } @@ -173,5 +173,5 @@ static KRML_MUSTINLINE bool validate_public_key_3e(uint8_t *public_key) { */ bool libcrux_ml_kem_mlkem512_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_be *public_key) { - return validate_public_key_3e(public_key->value); + return validate_public_key_f6(public_key->value); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index d116b682f..8a66b75c4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index cd3750a98..2fc5a3251 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_mlkem512_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 594ed03d2..66032c07f 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index 0556cf23a..85985206f 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 4975abb16..3fd65a30d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_mlkem768_avx2.h" @@ -35,7 +35,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_511( +static void decapsulate_0c1( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_ind_cca_decapsulate_7f1(private_key, ciphertext, ret); @@ -51,7 +51,7 @@ static void decapsulate_511( void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_511(private_key, ciphertext, ret); + decapsulate_0c1(private_key, ciphertext, ret); } /** @@ -71,7 +71,7 @@ with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_d11( +static tuple_3c encapsulate_ae1( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; @@ -95,7 +95,7 @@ tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_d11(uu____0, copy_of_randomness); + return encapsulate_ae1(uu____0, copy_of_randomness); } /** @@ -109,7 +109,7 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_b81( +static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_5a1( uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; @@ -125,7 +125,7 @@ libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_b81(copy_of_randomness); + return generate_keypair_5a1(copy_of_randomness); } /** @@ -136,7 +136,7 @@ generics - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE bool validate_private_key_651( +static KRML_MUSTINLINE bool validate_private_key_081( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_701(private_key, @@ -151,7 +151,7 @@ static KRML_MUSTINLINE bool validate_private_key_651( bool libcrux_ml_kem_mlkem768_avx2_validate_private_key( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { - return validate_private_key_651(private_key, ciphertext); + return validate_private_key_081(private_key, ciphertext); } /** @@ -162,7 +162,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static KRML_MUSTINLINE bool validate_public_key_3e1(uint8_t *public_key) { +static KRML_MUSTINLINE bool validate_public_key_f61(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_521(public_key); } @@ -173,5 +173,5 @@ static KRML_MUSTINLINE bool validate_public_key_3e1(uint8_t *public_key) { */ bool libcrux_ml_kem_mlkem768_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key) { - return validate_public_key_3e1(public_key->value); + return validate_public_key_f61(public_key->value); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index 25e02719b..af5edca86 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index ac4156303..1794e74b4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_mlkem768_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index 2ac8e4939..4e8116617 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index b89434a12..05520bf99 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "internal/libcrux_mlkem_avx2.h" @@ -164,7 +164,8 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { __m256i t0 = mm256_mulhi_epi16( vector, mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); - __m256i t1 = mm256_add_epi16(t0, mm256_set1_epi16((int16_t)512)); + __m256i t512 = mm256_set1_epi16((int16_t)512); + __m256i t1 = mm256_add_epi16(t0, t512); __m256i quotient = mm256_srai_epi16((int32_t)10, t1, __m256i); __m256i quotient_times_field_modulus = mm256_mullo_epi16( quotient, mm256_set1_epi16(LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS)); @@ -522,8 +523,8 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( __m128i high_msbs = mm256_extracti128_si256((int32_t)1, lsb_to_msb, __m128i); __m128i msbs = mm_packs_epi16(low_msbs, high_msbs); int32_t bits_packed = mm_movemask_epi8(msbs); - ret[0U] = (uint8_t)bits_packed; - ret[1U] = (uint8_t)(bits_packed >> 8U); + uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)}; + memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); } /** @@ -536,34 +537,35 @@ void libcrux_ml_kem_vector_avx2_serialize_1_09(__m256i vector, } KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { - __m256i coefficients = mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); - __m256i shift_lsb_to_msb = mm256_set_epi16( - (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, - (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768, - (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, - (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768); - __m256i coefficients_in_msb = - mm256_mullo_epi16(coefficients, shift_lsb_to_msb); +libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( + int16_t a, int16_t b) { + __m256i coefficients = + mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); + __m256i coefficients_in_msb = mm256_mullo_epi16( + coefficients, + mm256_set_epi16((int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, + (int16_t)1 << 11U, (int16_t)1 << 12U, (int16_t)1 << 13U, + (int16_t)1 << 14U, (int16_t)-32768, (int16_t)1 << 8U, + (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, + (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, + (int16_t)-32768)); return mm256_srli_epi16((int32_t)15, coefficients_in_msb, __m256i); } +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + uint8_t a, uint8_t b) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( + (int16_t)a, (int16_t)b); +} + +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -572,15 +574,27 @@ __m256i libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); } +/** + `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets + of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of + 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last + `n` bits are non-zero). +*/ +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, + __m256i x) { + int16_t n0 = (int16_t)1 << (uint32_t)n; + return mm256_madd_epi16( + x, mm256_set_epi16(n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, + (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, + (int16_t)1, n0, (int16_t)1)); +} + KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( __m256i vector, uint8_t ret[8U]) { uint8_t serialized[16U] = {0U}; - __m256i adjacent_2_combined = mm256_madd_epi16( - vector, mm256_set_epi16( - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1)); + __m256i adjacent_2_combined = + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector); __m256i adjacent_8_combined = mm256_shuffle_epi8( adjacent_2_combined, mm256_set_epi8((int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, @@ -617,37 +631,47 @@ void libcrux_ml_kem_vector_avx2_serialize_4_09(__m256i vector, } KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { - __m256i coefficients = mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); - __m256i shift_lsbs_to_msbs = mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); - __m256i coefficients_in_msb = - mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); +libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( + int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5, + int16_t b6, int16_t b7) { + __m256i coefficients = mm256_set_epi16(b7, b7, b6, b6, b5, b5, b4, b4, b3, b3, + b2, b2, b1, b1, b0, b0); + __m256i coefficients_in_msb = mm256_mullo_epi16( + coefficients, + mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U)); __m256i coefficients_in_lsb = mm256_srli_epi16((int32_t)4, coefficients_in_msb, __m256i); return mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16(((int16_t)1 << 4U) - (int16_t)1)); } +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5, + uint8_t b6, uint8_t b7) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( + (int16_t)b0, (int16_t)b1, (int16_t)b2, (int16_t)b3, (int16_t)b4, + (int16_t)b5, (int16_t)b6, (int16_t)b7); +} + +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -707,6 +731,22 @@ void libcrux_ml_kem_vector_avx2_serialize_5_09(__m256i vector, libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret); } +/** + We cannot model `mm256_inserti128_si256` on its own: it produces a + Vec256 where the upper 128 bits are undefined. Thus + `mm256_inserti128_si256` is not pure. + + Luckily, we always call `mm256_castsi128_si256` right after + `mm256_inserti128_si256`: this composition sets the upper bits, + making the whole computation pure again. +*/ +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(__m128i lower, + __m128i upper) { + return mm256_inserti128_si256((int32_t)1, mm256_castsi128_si256(lower), upper, + __m256i); +} + KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { __m128i coefficients = @@ -726,11 +766,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); - __m256i coefficients_loaded = mm256_castsi128_si256(coefficients); - __m256i coefficients_loaded0 = mm256_inserti128_si256( - (int32_t)1, coefficients_loaded, coefficients, __m256i); + __m256i coefficients_loaded = + libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + coefficients, coefficients); __m256i coefficients0 = mm256_shuffle_epi8( - coefficients_loaded0, + coefficients_loaded, mm256_set_epi8((int8_t)15, (int8_t)14, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)12, (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)9, @@ -757,16 +797,11 @@ __m256i libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes); } -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( - __m256i vector, uint8_t ret[20U]) { - uint8_t serialized[32U] = {0U}; - __m256i adjacent_2_combined = mm256_madd_epi16( - vector, mm256_set_epi16((int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, - (int16_t)1, (int16_t)1 << 10U, (int16_t)1, - (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, - (int16_t)1, (int16_t)1 << 10U, (int16_t)1, - (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, - (int16_t)1)); +core_core_arch_x86___m128i_x2 +libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( + __m256i vector) { + __m256i adjacent_2_combined = + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(10U, vector); __m256i adjacent_4_combined = mm256_sllv_epi32( adjacent_2_combined, mm256_set_epi32((int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, @@ -783,11 +818,23 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( (int8_t)9, (int8_t)8, (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0)); __m128i lower_8 = mm256_castsi256_si128(adjacent_8_combined); + __m128i upper_8 = + mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i); + return ( + CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); +} + +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( + __m256i vector, uint8_t ret[20U]) { + core_core_arch_x86___m128i_x2 uu____0 = + libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( + vector); + __m128i lower_8 = uu____0.fst; + __m128i upper_8 = uu____0.snd; + uint8_t serialized[32U] = {0U}; mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); - __m128i upper_8 = - mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i); mm_storeu_bytes_si128(Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, uint8_t), upper_8); @@ -811,31 +858,40 @@ void libcrux_ml_kem_vector_avx2_serialize_10_09(__m256i vector, } KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { - __m256i shift_lsbs_to_msbs = mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U); - __m128i lower_coefficients = mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); - __m128i lower_coefficients0 = mm_shuffle_epi8( - lower_coefficients, mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, - 3U, 2U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t)); - __m128i upper_coefficients0 = mm_shuffle_epi8( - upper_coefficients, mm_set_epi8(15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, - 10U, 9U, 9U, 8U, 8U, 7U, 7U, 6U)); - __m256i coefficients = mm256_castsi128_si256(lower_coefficients0); - __m256i coefficients0 = mm256_inserti128_si256((int32_t)1, coefficients, - upper_coefficients0, __m256i); - __m256i coefficients1 = mm256_mullo_epi16(coefficients0, shift_lsbs_to_msbs); - __m256i coefficients2 = mm256_srli_epi16((int32_t)6, coefficients1, __m256i); - return mm256_and_si256(coefficients2, +libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + __m128i lower_coefficients0, __m128i upper_coefficients0) { + __m128i lower_coefficients = mm_shuffle_epi8( + lower_coefficients0, mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, + 3U, 2U, 2U, 1U, 1U, 0U)); + __m128i upper_coefficients = mm_shuffle_epi8( + upper_coefficients0, mm_set_epi8(15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, + 10U, 9U, 9U, 8U, 8U, 7U, 7U, 6U)); + __m256i coefficients = + libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + lower_coefficients, upper_coefficients); + __m256i coefficients0 = mm256_mullo_epi16( + coefficients, + mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, + (int16_t)1 << 6U, (int16_t)1 << 0U, (int16_t)1 << 2U, + (int16_t)1 << 4U, (int16_t)1 << 6U, (int16_t)1 << 0U, + (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, + (int16_t)1 << 6U)); + __m256i coefficients1 = mm256_srli_epi16((int32_t)6, coefficients0, __m256i); + return mm256_and_si256(coefficients1, mm256_set1_epi16(((int16_t)1 << 10U) - (int16_t)1)); } +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { + Eurydice_slice lower_coefficients = + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t); + Eurydice_slice upper_coefficients = + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t); + return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + mm_loadu_si128(lower_coefficients), mm_loadu_si128(upper_coefficients)); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -884,16 +940,11 @@ __m256i libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_11(bytes); } -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( - __m256i vector, uint8_t ret[24U]) { - uint8_t serialized[32U] = {0U}; - __m256i adjacent_2_combined = mm256_madd_epi16( - vector, mm256_set_epi16((int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, - (int16_t)1, (int16_t)1 << 12U, (int16_t)1, - (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, - (int16_t)1, (int16_t)1 << 12U, (int16_t)1, - (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, - (int16_t)1)); +KRML_MUSTINLINE core_core_arch_x86___m128i_x2 +libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( + __m256i vector) { + __m256i adjacent_2_combined = + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(12U, vector); __m256i adjacent_4_combined = mm256_sllv_epi32( adjacent_2_combined, mm256_set_epi32((int32_t)0, (int32_t)8, (int32_t)0, (int32_t)8, @@ -912,6 +963,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( __m128i lower_8 = mm256_castsi256_si128(adjacent_8_combined); __m128i upper_8 = mm256_extracti128_si256((int32_t)1, adjacent_8_combined, __m128i); + return ( + CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); +} + +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( + __m256i vector, uint8_t ret[24U]) { + uint8_t serialized[32U] = {0U}; + core_core_arch_x86___m128i_x2 uu____0 = + libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( + vector); + __m128i lower_8 = uu____0.fst; + __m128i upper_8 = uu____0.snd; mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); @@ -937,30 +1000,39 @@ void libcrux_ml_kem_vector_avx2_serialize_12_09(__m256i vector, libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret); } +KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + __m128i lower_coefficients0, __m128i upper_coefficients0) { + __m128i lower_coefficients = mm_shuffle_epi8( + lower_coefficients0, mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, + 4U, 4U, 3U, 2U, 1U, 1U, 0U)); + __m128i upper_coefficients = mm_shuffle_epi8( + upper_coefficients0, mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U, + 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U)); + __m256i coefficients = + libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + lower_coefficients, upper_coefficients); + __m256i coefficients0 = mm256_mullo_epi16( + coefficients, + mm256_set_epi16((int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U)); + __m256i coefficients1 = mm256_srli_epi16((int32_t)4, coefficients0, __m256i); + return mm256_and_si256(coefficients1, + mm256_set1_epi16(((int16_t)1 << 12U) - (int16_t)1)); +} + KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { - __m256i shift_lsbs_to_msbs = mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); __m128i lower_coefficients = mm_loadu_si128( Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); - __m128i lower_coefficients0 = mm_shuffle_epi8( - lower_coefficients, mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U, - 4U, 3U, 2U, 1U, 1U, 0U)); __m128i upper_coefficients = mm_loadu_si128( Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); - __m128i upper_coefficients0 = mm_shuffle_epi8( - upper_coefficients, mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U, - 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U)); - __m256i coefficients = mm256_castsi128_si256(lower_coefficients0); - __m256i coefficients0 = mm256_inserti128_si256((int32_t)1, coefficients, - upper_coefficients0, __m256i); - __m256i coefficients1 = mm256_mullo_epi16(coefficients0, shift_lsbs_to_msbs); - __m256i coefficients2 = mm256_srli_epi16((int32_t)4, coefficients1, __m256i); - return mm256_and_si256(coefficients2, - mm256_set1_epi16(((int16_t)1 << 12U) - (int16_t)1)); + return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + lower_coefficients, upper_coefficients); } /** @@ -2952,7 +3024,7 @@ generics - COEFFICIENT_BITS= 10 */ static KRML_MUSTINLINE __m256i -compress_ciphertext_coefficient_43(__m256i vector) { +compress_ciphertext_coefficient_1a(__m256i vector) { __m256i field_modulus_halved = mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -2999,8 +3071,8 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 10 */ -static __m256i compress_09_76(__m256i vector) { - return compress_ciphertext_coefficient_43(vector); +static __m256i compress_09_74(__m256i vector) { + return compress_ciphertext_coefficient_1a(vector); } /** @@ -3016,7 +3088,7 @@ static KRML_MUSTINLINE void compress_then_serialize_10_2b0( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_09_76(to_unsigned_field_modulus_7b(re->coefficients[i0])); + compress_09_74(to_unsigned_field_modulus_7b(re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_avx2_serialize_10_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -3036,7 +3108,7 @@ generics - COEFFICIENT_BITS= 11 */ static KRML_MUSTINLINE __m256i -compress_ciphertext_coefficient_430(__m256i vector) { +compress_ciphertext_coefficient_1a0(__m256i vector) { __m256i field_modulus_halved = mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -3083,8 +3155,8 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 11 */ -static __m256i compress_09_760(__m256i vector) { - return compress_ciphertext_coefficient_430(vector); +static __m256i compress_09_740(__m256i vector) { + return compress_ciphertext_coefficient_1a0(vector); } /** @@ -3139,7 +3211,7 @@ generics - COEFFICIENT_BITS= 4 */ static KRML_MUSTINLINE __m256i -compress_ciphertext_coefficient_431(__m256i vector) { +compress_ciphertext_coefficient_1a1(__m256i vector) { __m256i field_modulus_halved = mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -3186,8 +3258,8 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 4 */ -static __m256i compress_09_761(__m256i vector) { - return compress_ciphertext_coefficient_431(vector); +static __m256i compress_09_741(__m256i vector) { + return compress_ciphertext_coefficient_1a1(vector); } /** @@ -3203,7 +3275,7 @@ static KRML_MUSTINLINE void compress_then_serialize_4_a4( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_09_761(to_unsigned_field_modulus_7b(re.coefficients[i0])); + compress_09_741(to_unsigned_field_modulus_7b(re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_avx2_serialize_4_09(coefficient, bytes); Eurydice_slice_copy( @@ -3220,7 +3292,7 @@ generics - COEFFICIENT_BITS= 5 */ static KRML_MUSTINLINE __m256i -compress_ciphertext_coefficient_432(__m256i vector) { +compress_ciphertext_coefficient_1a2(__m256i vector) { __m256i field_modulus_halved = mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); @@ -3267,8 +3339,8 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 5 */ -static __m256i compress_09_762(__m256i vector) { - return compress_ciphertext_coefficient_432(vector); +static __m256i compress_09_742(__m256i vector) { + return compress_ciphertext_coefficient_1a2(vector); } /** @@ -3284,7 +3356,7 @@ static KRML_MUSTINLINE void compress_then_serialize_5_03( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficients = - compress_09_762(to_unsigned_representative_3f(re.coefficients[i0])); + compress_09_742(to_unsigned_representative_3f(re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_avx2_serialize_5_09(coefficients, bytes); Eurydice_slice_copy( @@ -3570,7 +3642,7 @@ generics - COEFFICIENT_BITS= 10 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_79(__m256i vector) { +decompress_ciphertext_coefficient_8e(__m256i vector) { __m256i field_modulus = mm256_set1_epi32((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = @@ -3614,8 +3686,8 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 10 */ -static __m256i decompress_ciphertext_coefficient_09_c6(__m256i vector) { - return decompress_ciphertext_coefficient_79(vector); +static __m256i decompress_ciphertext_coefficient_09_70(__m256i vector) { + return decompress_ciphertext_coefficient_8e(vector); } /** @@ -3638,7 +3710,7 @@ deserialize_then_decompress_10_c7(Eurydice_slice serialized) { Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_09(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_09_c6(coefficient); + re.coefficients[i0] = decompress_ciphertext_coefficient_09_70(coefficient); } return re; } @@ -3650,7 +3722,7 @@ generics - COEFFICIENT_BITS= 11 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_790(__m256i vector) { +decompress_ciphertext_coefficient_8e0(__m256i vector) { __m256i field_modulus = mm256_set1_epi32((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = @@ -3694,8 +3766,8 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 11 */ -static __m256i decompress_ciphertext_coefficient_09_c60(__m256i vector) { - return decompress_ciphertext_coefficient_790(vector); +static __m256i decompress_ciphertext_coefficient_09_700(__m256i vector) { + return decompress_ciphertext_coefficient_8e0(vector); } /** @@ -3713,7 +3785,7 @@ deserialize_then_decompress_11_d5(Eurydice_slice serialized) { Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_09(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_09_c60(coefficient); + re.coefficients[i0] = decompress_ciphertext_coefficient_09_700(coefficient); } return re; } @@ -3794,7 +3866,7 @@ generics - COEFFICIENT_BITS= 4 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_791(__m256i vector) { +decompress_ciphertext_coefficient_8e1(__m256i vector) { __m256i field_modulus = mm256_set1_epi32((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = @@ -3838,8 +3910,8 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 4 */ -static __m256i decompress_ciphertext_coefficient_09_c61(__m256i vector) { - return decompress_ciphertext_coefficient_791(vector); +static __m256i decompress_ciphertext_coefficient_09_701(__m256i vector) { + return decompress_ciphertext_coefficient_8e1(vector); } /** @@ -3857,7 +3929,7 @@ deserialize_then_decompress_4_75(Eurydice_slice serialized) { Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_09(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_09_c61(coefficient); + re.coefficients[i0] = decompress_ciphertext_coefficient_09_701(coefficient); } return re; } @@ -3869,7 +3941,7 @@ generics - COEFFICIENT_BITS= 5 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_792(__m256i vector) { +decompress_ciphertext_coefficient_8e2(__m256i vector) { __m256i field_modulus = mm256_set1_epi32((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); __m256i two_pow_coefficient_bits = @@ -3913,8 +3985,8 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 5 */ -static __m256i decompress_ciphertext_coefficient_09_c62(__m256i vector) { - return decompress_ciphertext_coefficient_792(vector); +static __m256i decompress_ciphertext_coefficient_09_702(__m256i vector) { + return decompress_ciphertext_coefficient_8e2(vector); } /** @@ -3933,7 +4005,7 @@ deserialize_then_decompress_5_f8(Eurydice_slice serialized) { serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_09(bytes); re.coefficients[i0] = - decompress_ciphertext_coefficient_09_c62(re.coefficients[i0]); + decompress_ciphertext_coefficient_09_702(re.coefficients[i0]); } return re; } @@ -5444,7 +5516,7 @@ static KRML_MUSTINLINE void compress_then_serialize_11_17( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_09_760(to_unsigned_representative_3f(re->coefficients[i0])); + compress_09_740(to_unsigned_representative_3f(re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_avx2_serialize_11_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index 42cc1517c..02a4b1c04 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem_avx2_H @@ -234,6 +234,12 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ void libcrux_ml_kem_vector_avx2_serialize_1_09(__m256i vector, uint8_t ret[2U]); +__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( + int16_t a, int16_t b); + +__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + uint8_t a, uint8_t b); + __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1( Eurydice_slice bytes); @@ -243,6 +249,15 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes); +/** + `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets + of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of + 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last + `n` bits are non-zero). +*/ +__m256i libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, + __m256i x); + void libcrux_ml_kem_vector_avx2_serialize_serialize_4(__m256i vector, uint8_t ret[8U]); @@ -252,6 +267,14 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ void libcrux_ml_kem_vector_avx2_serialize_4_09(__m256i vector, uint8_t ret[8U]); +__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( + int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5, + int16_t b6, int16_t b7); + +__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5, + uint8_t b6, uint8_t b7); + __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4( Eurydice_slice bytes); @@ -271,6 +294,18 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} void libcrux_ml_kem_vector_avx2_serialize_5_09(__m256i vector, uint8_t ret[10U]); +/** + We cannot model `mm256_inserti128_si256` on its own: it produces a + Vec256 where the upper 128 bits are undefined. Thus + `mm256_inserti128_si256` is not pure. + + Luckily, we always call `mm256_castsi128_si256` right after + `mm256_inserti128_si256`: this composition sets the upper bits, + making the whole computation pure again. +*/ +__m256i libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + __m128i lower, __m128i upper); + __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5( Eurydice_slice bytes); @@ -280,6 +315,15 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes); +typedef struct core_core_arch_x86___m128i_x2_s { + __m128i fst; + __m128i snd; +} core_core_arch_x86___m128i_x2; + +core_core_arch_x86___m128i_x2 +libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( + __m256i vector); + void libcrux_ml_kem_vector_avx2_serialize_serialize_10(__m256i vector, uint8_t ret[20U]); @@ -290,6 +334,9 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} void libcrux_ml_kem_vector_avx2_serialize_10_09(__m256i vector, uint8_t ret[20U]); +__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + __m128i lower_coefficients0, __m128i upper_coefficients0); + __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10( Eurydice_slice bytes); @@ -318,6 +365,10 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ __m256i libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes); +core_core_arch_x86___m128i_x2 +libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( + __m256i vector); + void libcrux_ml_kem_vector_avx2_serialize_serialize_12(__m256i vector, uint8_t ret[24U]); @@ -328,6 +379,9 @@ libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} void libcrux_ml_kem_vector_avx2_serialize_12_09(__m256i vector, uint8_t ret[24U]); +__m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + __m128i lower_coefficients0, __m128i upper_coefficients0); + __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12( Eurydice_slice bytes); diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 9c539cfa1..25021f8c9 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "internal/libcrux_mlkem_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index c9875da03..e36fc4ae2 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index 6e2ab7015..09a7923b5 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_sha3_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index d854d460d..49d6623c3 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "internal/libcrux_sha3_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index 7da61a71e..1e2e63c96 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 1e2de3251..5b4b70a94 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index 5cf30d99e..d84fc7126 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #include "libcrux_sha3_neon.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index 362ca6ad1..bdb6771ab 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_sha3_neon_H diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index dc4e2de87..7599cb2f1 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -2,5 +2,5 @@ This code was generated with the following revisions: Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 -F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd -Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 +F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 +Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index dcf4fd6fe..c6916acab 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index 898681bb4..2b5ee19c2 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_ct_ops_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 053e1683b..553bb0252 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_avx2_H @@ -204,8 +204,8 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { __m256i t0 = libcrux_intrinsics_avx2_mm256_mulhi_epi16( vector, libcrux_intrinsics_avx2_mm256_set1_epi16( LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER)); - __m256i t1 = libcrux_intrinsics_avx2_mm256_add_epi16( - t0, libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512)); + __m256i t512 = libcrux_intrinsics_avx2_mm256_set1_epi16((int16_t)512); + __m256i t1 = libcrux_intrinsics_avx2_mm256_add_epi16(t0, t512); __m256i quotient = libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)10, t1, __m256i); __m256i quotient_times_field_modulus = @@ -636,8 +636,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( (int32_t)1, lsb_to_msb, __m128i); __m128i msbs = libcrux_intrinsics_avx2_mm_packs_epi16(low_msbs, high_msbs); int32_t bits_packed = libcrux_intrinsics_avx2_mm_movemask_epi8(msbs); - ret[0U] = (uint8_t)bits_packed; - ret[1U] = (uint8_t)(bits_packed >> 8U); + uint8_t result[2U] = {(uint8_t)bits_packed, (uint8_t)(bits_packed >> 8U)}; + memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); } /** @@ -652,35 +652,38 @@ static inline void libcrux_ml_kem_vector_avx2_serialize_1_09(__m256i vector, KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( + int16_t a, int16_t b) { __m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); - __m256i shift_lsb_to_msb = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, - (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768, - (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, - (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, (int16_t)-32768); - __m256i coefficients_in_msb = - libcrux_intrinsics_avx2_mm256_mullo_epi16(coefficients, shift_lsb_to_msb); + b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); + __m256i coefficients_in_msb = libcrux_intrinsics_avx2_mm256_mullo_epi16( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, + (int16_t)1 << 11U, (int16_t)1 << 12U, (int16_t)1 << 13U, + (int16_t)1 << 14U, (int16_t)-32768, (int16_t)1 << 8U, + (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, + (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, + (int16_t)-32768)); return libcrux_intrinsics_avx2_mm256_srli_epi16((int32_t)15, coefficients_in_msb, __m256i); } +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + uint8_t a, uint8_t b) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_i16s( + (int16_t)a, (int16_t)b); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_1_deserialize_1_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *)); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -691,16 +694,29 @@ static inline __m256i libcrux_ml_kem_vector_avx2_deserialize_1_09( return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); } +/** + `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets + of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of + 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last + `n` bits are non-zero). +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(uint8_t n, + __m256i x) { + int16_t n0 = (int16_t)1 << (uint32_t)n; + return libcrux_intrinsics_avx2_mm256_madd_epi16( + x, libcrux_intrinsics_avx2_mm256_set_epi16( + n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, + (int16_t)1, n0, (int16_t)1, n0, (int16_t)1, n0, (int16_t)1)); +} + KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( __m256i vector, uint8_t ret[8U]) { uint8_t serialized[16U] = {0U}; - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16( - vector, libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, - (int16_t)1 << 4U, (int16_t)1, (int16_t)1 << 4U, (int16_t)1)); + __m256i adjacent_2_combined = + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(4U, vector); __m256i adjacent_8_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi8( @@ -739,31 +755,19 @@ static inline void libcrux_ml_kem_vector_avx2_serialize_4_09(__m256i vector, KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( + int16_t b0, int16_t b1, int16_t b2, int16_t b3, int16_t b4, int16_t b5, + int16_t b6, int16_t b7) { __m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); - __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); + b7, b7, b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0); __m256i coefficients_in_msb = libcrux_intrinsics_avx2_mm256_mullo_epi16( - coefficients, shift_lsbs_to_msbs); + coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U)); __m256i coefficients_in_lsb = libcrux_intrinsics_avx2_mm256_srli_epi16( (int32_t)4, coefficients_in_msb, __m256i); return libcrux_intrinsics_avx2_mm256_and_si256( @@ -771,6 +775,30 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { ((int16_t)1 << 4U) - (int16_t)1)); } +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4, uint8_t b5, + uint8_t b6, uint8_t b7) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_i16s( + (int16_t)b0, (int16_t)b1, (int16_t)b2, (int16_t)b3, (int16_t)b4, + (int16_t)b5, (int16_t)b6, (int16_t)b7); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { + return libcrux_ml_kem_vector_avx2_serialize_deserialize_4_deserialize_4_u8s( + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -837,6 +865,24 @@ static inline void libcrux_ml_kem_vector_avx2_serialize_5_09(__m256i vector, libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret); } +/** + We cannot model `mm256_inserti128_si256` on its own: it produces a + Vec256 where the upper 128 bits are undefined. Thus + `mm256_inserti128_si256` is not pure. + + Luckily, we always call `mm256_castsi128_si256` right after + `mm256_inserti128_si256`: this composition sets the upper bits, + making the whole computation pure again. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128(__m128i lower, + __m128i upper) { + return libcrux_intrinsics_avx2_mm256_inserti128_si256( + (int32_t)1, libcrux_intrinsics_avx2_mm256_castsi128_si256(lower), upper, + __m256i); +} + KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { @@ -858,11 +904,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); __m256i coefficients_loaded = - libcrux_intrinsics_avx2_mm256_castsi128_si256(coefficients); - __m256i coefficients_loaded0 = libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, coefficients_loaded, coefficients, __m256i); + libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + coefficients, coefficients); __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( - coefficients_loaded0, + coefficients_loaded, libcrux_intrinsics_avx2_mm256_set_epi8( (int8_t)15, (int8_t)14, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)12, (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)10, @@ -892,17 +937,17 @@ static inline __m256i libcrux_ml_kem_vector_avx2_deserialize_5_09( return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes); } +typedef struct core_core_arch_x86___m128i_x2_s { + __m128i fst; + __m128i snd; +} core_core_arch_x86___m128i_x2; + KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( - __m256i vector, uint8_t ret[20U]) { - uint8_t serialized[32U] = {0U}; - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16( - vector, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1, - (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1, - (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1, - (int16_t)1 << 10U, (int16_t)1, (int16_t)1 << 10U, (int16_t)1)); +static inline core_core_arch_x86___m128i_x2 +libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( + __m256i vector) { + __m256i adjacent_2_combined = + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(10U, vector); __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi32( @@ -921,11 +966,24 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0)); __m128i lower_8 = libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined); + __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_8_combined, __m128i); + return ( + CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( + __m256i vector, uint8_t ret[20U]) { + core_core_arch_x86___m128i_x2 uu____0 = + libcrux_ml_kem_vector_avx2_serialize_serialize_10_serialize_10_vec( + vector); + __m128i lower_8 = uu____0.fst; + __m128i upper_8 = uu____0.snd; + uint8_t serialized[32U] = {0U}; libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); - __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( - (int32_t)1, adjacent_8_combined, __m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, uint8_t), @@ -952,37 +1010,46 @@ static inline void libcrux_ml_kem_vector_avx2_serialize_10_09( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { - __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, - (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U); - __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, +libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + __m128i lower_coefficients0, __m128i upper_coefficients0) { + __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients0, libcrux_intrinsics_avx2_mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, 3U, 2U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t)); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8( - 15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, 10U, 9U, - 9U, 8U, 8U, 7U, 7U, 6U)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients0, libcrux_intrinsics_avx2_mm_set_epi8( + 15U, 14U, 14U, 13U, 13U, 12U, 12U, 11U, 10U, 9U, + 9U, 8U, 8U, 7U, 7U, 6U)); __m256i coefficients = - libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients0); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, coefficients, upper_coefficients0, __m256i); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_mullo_epi16( - coefficients0, shift_lsbs_to_msbs); - __m256i coefficients2 = libcrux_intrinsics_avx2_mm256_srli_epi16( - (int32_t)6, coefficients1, __m256i); + libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + lower_coefficients, upper_coefficients); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, + (int16_t)1 << 6U, (int16_t)1 << 0U, (int16_t)1 << 2U, + (int16_t)1 << 4U, (int16_t)1 << 6U, (int16_t)1 << 0U, + (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U, + (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, + (int16_t)1 << 6U)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_srli_epi16( + (int32_t)6, coefficients0, __m256i); return libcrux_intrinsics_avx2_mm256_and_si256( - coefficients2, libcrux_intrinsics_avx2_mm256_set1_epi16( + coefficients1, libcrux_intrinsics_avx2_mm256_set1_epi16( ((int16_t)1 << 10U) - (int16_t)1)); } +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { + Eurydice_slice lower_coefficients = + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t); + Eurydice_slice upper_coefficients = + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t); + return libcrux_ml_kem_vector_avx2_serialize_deserialize_10_deserialize_10_vec( + libcrux_intrinsics_avx2_mm_loadu_si128(lower_coefficients), + libcrux_intrinsics_avx2_mm_loadu_si128(upper_coefficients)); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -1039,16 +1106,11 @@ static inline __m256i libcrux_ml_kem_vector_avx2_deserialize_11_09( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( - __m256i vector, uint8_t ret[24U]) { - uint8_t serialized[32U] = {0U}; - __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_madd_epi16( - vector, - libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1, - (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1, - (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1, - (int16_t)1 << 12U, (int16_t)1, (int16_t)1 << 12U, (int16_t)1)); +static KRML_MUSTINLINE core_core_arch_x86___m128i_x2 +libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( + __m256i vector) { + __m256i adjacent_2_combined = + libcrux_ml_kem_vector_avx2_serialize_mm256_concat_pairs_n(12U, vector); __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( adjacent_2_combined, libcrux_intrinsics_avx2_mm256_set_epi32( (int32_t)0, (int32_t)8, (int32_t)0, (int32_t)8, @@ -1068,6 +1130,19 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined); __m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined, __m128i); + return ( + CLITERAL(core_core_arch_x86___m128i_x2){.fst = lower_8, .snd = upper_8}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( + __m256i vector, uint8_t ret[24U]) { + uint8_t serialized[32U] = {0U}; + core_core_arch_x86___m128i_x2 uu____0 = + libcrux_ml_kem_vector_avx2_serialize_serialize_12_serialize_12_vec( + vector); + __m128i lower_8 = uu____0.fst; + __m128i upper_8 = uu____0.snd; libcrux_intrinsics_avx2_mm_storeu_bytes_si128( Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); @@ -1097,37 +1172,45 @@ static inline void libcrux_ml_kem_vector_avx2_serialize_12_09( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { - __m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, - (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); - __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); - __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - lower_coefficients, +libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + __m128i lower_coefficients0, __m128i upper_coefficients0) { + __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients0, libcrux_intrinsics_avx2_mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U, 4U, 3U, 2U, 1U, 1U, 0U)); - __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( - Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); - __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( - upper_coefficients, + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients0, libcrux_intrinsics_avx2_mm_set_epi8(15U, 14U, 14U, 13U, 12U, 11U, 11U, 10U, 9U, 8U, 8U, 7U, 6U, 5U, 5U, 4U)); __m256i coefficients = - libcrux_intrinsics_avx2_mm256_castsi128_si256(lower_coefficients0); - __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_inserti128_si256( - (int32_t)1, coefficients, upper_coefficients0, __m256i); - __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_mullo_epi16( - coefficients0, shift_lsbs_to_msbs); - __m256i coefficients2 = libcrux_intrinsics_avx2_mm256_srli_epi16( - (int32_t)4, coefficients1, __m256i); + libcrux_ml_kem_vector_avx2_serialize_mm256_si256_from_two_si128( + lower_coefficients, upper_coefficients); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U, + (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, + (int16_t)1 << 4U)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_srli_epi16( + (int32_t)4, coefficients0, __m256i); return libcrux_intrinsics_avx2_mm256_and_si256( - coefficients2, libcrux_intrinsics_avx2_mm256_set1_epi16( + coefficients1, libcrux_intrinsics_avx2_mm256_set1_epi16( ((int16_t)1 << 12U) - (int16_t)1)); } +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { + __m128i lower_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); + return libcrux_ml_kem_vector_avx2_serialize_deserialize_12_deserialize_12_vec( + lower_coefficients, upper_coefficients); +} + /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} @@ -1322,7 +1405,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e6( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_53( __m256i vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -1374,9 +1457,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a6( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e6( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_53( vector); } @@ -1404,7 +1487,7 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_10_86( serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a6( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb( coefficient); } return re; @@ -1418,7 +1501,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e60( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_530( __m256i vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -1470,9 +1553,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a60( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb0( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e60( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_530( vector); } @@ -1495,7 +1578,7 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_11_6d( serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a60( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb0( coefficient); } return re; @@ -1741,7 +1824,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e61( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_531( __m256i vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -1793,9 +1876,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a61( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb1( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e61( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_531( vector); } @@ -1818,7 +1901,7 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_4_c2( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a61( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb1( coefficient); } return re; @@ -1832,7 +1915,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e62( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_532( __m256i vector) { __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -1884,9 +1967,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a62( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb2( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_e62( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_532( vector); } @@ -1909,7 +1992,7 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_5_1b( serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_a62( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_eb2( re.coefficients[i0]); } return re; @@ -3511,7 +3594,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_82( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f( __m256i vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3566,9 +3649,9 @@ with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_4e( +static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_3e( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_82( + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f( vector); } @@ -3586,7 +3669,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_34( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_4e( + __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_3e( libcrux_ml_kem_serialize_to_unsigned_field_modulus_7b( re->coefficients[i0])); uint8_t bytes[20U]; @@ -3609,7 +3692,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_820( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f0( __m256i vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3664,9 +3747,9 @@ with const generics - COEFFICIENT_BITS= 11 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_4e0( +static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_3e0( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_820( + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f0( vector); } @@ -3684,7 +3767,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_47( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_4e0( + __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_3e0( libcrux_ml_kem_vector_traits_to_unsigned_representative_3f( re->coefficients[i0])); uint8_t bytes[22U]; @@ -3754,7 +3837,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_821( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f1( __m256i vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3809,9 +3892,9 @@ with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_4e1( +static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_3e1( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_821( + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f1( vector); } @@ -3829,7 +3912,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_c3( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_4e1( + __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_3e1( libcrux_ml_kem_serialize_to_unsigned_field_modulus_7b( re.coefficients[i0])); uint8_t bytes[8U]; @@ -3849,7 +3932,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_822( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f2( __m256i vector) { __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3904,9 +3987,9 @@ with const generics - COEFFICIENT_BITS= 5 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_4e2( +static inline __m256i libcrux_ml_kem_vector_avx2_compress_09_3e2( __m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_822( + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_4f2( vector); } @@ -3924,7 +4007,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_de( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_09_4e2( + __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_09_3e2( libcrux_ml_kem_vector_traits_to_unsigned_representative_3f( re.coefficients[i0])); uint8_t bytes[10U]; @@ -4210,7 +4293,7 @@ with const generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_14( +static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_0b( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_ind_cca_decapsulate_1f(private_key, ciphertext, ret); @@ -4227,7 +4310,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_14(private_key, + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_0b(private_key, ciphertext, ret); } @@ -4360,7 +4443,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_14( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_71( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; @@ -4385,7 +4468,7 @@ static inline tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_14( + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_71( uu____0, copy_of_randomness); } @@ -4841,7 +4924,7 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_8b( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_20( uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; @@ -4858,7 +4941,7 @@ libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_8b( + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_20( copy_of_randomness); } @@ -5017,7 +5100,7 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.kyber_decapsulate with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_7a( +libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_02( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_ind_cca_decapsulate_1f0(private_key, ciphertext, ret); @@ -5034,7 +5117,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_kyber_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_7a( + libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_02( private_key, ciphertext, ret); } @@ -5152,7 +5235,7 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.kyber_encapsulate with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_ff( +libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_7a( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; @@ -5177,7 +5260,7 @@ static inline tuple_3c libcrux_ml_kem_mlkem768_avx2_kyber_encapsulate( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_ff( + return libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_7a( uu____0, copy_of_randomness); } @@ -5362,7 +5445,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_generate_keypair_a1( +libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_generate_keypair_74( uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; @@ -5379,7 +5462,7 @@ libcrux_ml_kem_mlkem768_avx2_kyber_generate_key_pair(uint8_t randomness[64U]) { /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_generate_keypair_a1( + return libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_generate_keypair_74( copy_of_randomness); } @@ -5418,7 +5501,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool -libcrux_ml_kem_ind_cca_instantiations_avx2_validate_private_key_01( +libcrux_ml_kem_ind_cca_instantiations_avx2_validate_private_key_4f( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_3a(private_key, @@ -5434,7 +5517,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline bool libcrux_ml_kem_mlkem768_avx2_validate_private_key( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_validate_private_key_01( + return libcrux_ml_kem_ind_cca_instantiations_avx2_validate_private_key_4f( private_key, ciphertext); } @@ -5510,7 +5593,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE bool -libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_59( +libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_a4( uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_c0(public_key); } @@ -5523,7 +5606,7 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_59( KRML_ATTRIBUTE_TARGET("avx2") static inline bool libcrux_ml_kem_mlkem768_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key) { - return libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_59( + return libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_a4( public_key->value); } @@ -5636,7 +5719,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_44( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_e8( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_ind_cca_unpacked_decapsulate_6a(key_pair, ciphertext, ret); @@ -5653,7 +5736,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_decapsulate( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_44( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_decapsulate_e8( private_key, ciphertext, ret); } @@ -5748,7 +5831,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_71( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_89( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *uu____0 = @@ -5777,7 +5860,7 @@ static inline tuple_3c libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[32U]; memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_71( + return libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_encapsulate_89( uu____0, copy_of_randomness); } @@ -5934,7 +6017,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_00( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_b7( uint8_t randomness[64U], libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *out) { /* Passing arrays by value in Rust generates a copy in C */ @@ -5953,7 +6036,7 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair( /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_randomness[64U]; memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_00( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_generate_keypair_b7( copy_of_randomness, key_pair); } @@ -5970,7 +6053,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_default_1c_44(void) { +libcrux_ml_kem_ind_cca_unpacked_default_1c_9e(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit; lit.ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_89(); lit.public_key_hash[0U] = 0U; @@ -6022,7 +6105,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_07_2c(void) { + libcrux_ml_kem_ind_cca_unpacked_default_07_e2(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____0; uu____0.ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_1a_3c(); uu____0.implicit_rejection_value[0U] = 0U; @@ -6060,7 +6143,7 @@ static KRML_MUSTINLINE return ( CLITERAL(libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked){ .private_key = uu____0, - .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_44()}); + .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_9e()}); } /** @@ -6069,7 +6152,7 @@ static KRML_MUSTINLINE KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_07_2c(); + return libcrux_ml_kem_ind_cca_unpacked_default_07_e2(); } /** @@ -6078,7 +6161,7 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) { KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 libcrux_ml_kem_mlkem768_avx2_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_1c_44(); + return libcrux_ml_kem_ind_cca_unpacked_default_1c_9e(); } /** @@ -6099,7 +6182,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_99( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_92( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { libcrux_ml_kem_ind_cpa_serialize_public_key_mut_6c( @@ -6127,10 +6210,10 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_39( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_a7( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_99( + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_92( &self->public_key, serialized); } @@ -6142,7 +6225,7 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_39(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_a7(key_pair, serialized); } @@ -6159,7 +6242,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cpa_unpacked_clone_ef_18( +libcrux_ml_kem_ind_cpa_unpacked_clone_ef_42( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[3U]; core_array___core__clone__Clone_for__Array_T__N___20__clone( @@ -6196,11 +6279,11 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_clone_28_69( +libcrux_ml_kem_ind_cca_unpacked_clone_28_24( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit; lit.ind_cpa_public_key = - libcrux_ml_kem_ind_cpa_unpacked_clone_ef_18(&self->ind_cpa_public_key); + libcrux_ml_kem_ind_cpa_unpacked_clone_ef_42(&self->ind_cpa_public_key); uint8_t ret[32U]; core_array___core__clone__Clone_for__Array_T__N___20__clone( (size_t)32U, self->public_key_hash, ret, uint8_t, void *); @@ -6224,7 +6307,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 * -libcrux_ml_kem_ind_cca_unpacked_public_key_de_b9( +libcrux_ml_kem_ind_cca_unpacked_public_key_de_77( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -6237,8 +6320,8 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *pk) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_28_69( - libcrux_ml_kem_ind_cca_unpacked_public_key_de_b9(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_clone_28_24( + libcrux_ml_kem_ind_cca_unpacked_public_key_de_77(key_pair)); pk[0U] = uu____0; } @@ -6249,7 +6332,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_serialized_public_key( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_99(public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_92(public_key, serialized); } @@ -6314,7 +6397,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_7f( +libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_d1( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *unpacked_public_key) { @@ -6330,7 +6413,7 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_unpacked_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *unpacked_public_key) { - libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_7f( + libcrux_ml_kem_ind_cca_instantiations_avx2_unpacked_unpack_public_key_d1( public_key, unpacked_public_key); } diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h index 1e215bec0..a99ed2625 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_avx2_types_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index 3d23894e4..2d7b89018 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_portable_H @@ -6916,7 +6916,7 @@ with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 -libcrux_ml_kem_ind_cca_unpacked_default_1c_6e(void) { +libcrux_ml_kem_ind_cca_unpacked_default_1c_bd(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 lit; lit.ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_d1(); lit.public_key_hash[0U] = 0U; @@ -6967,7 +6967,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_07_35(void) { + libcrux_ml_kem_ind_cca_unpacked_default_07_db(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_f8 uu____0; uu____0.ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_1a_e9(); uu____0.implicit_rejection_value[0U] = 0U; @@ -7005,7 +7005,7 @@ static KRML_MUSTINLINE return (CLITERAL( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked){ .private_key = uu____0, - .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_6e()}); + .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_bd()}); } /** @@ -7013,7 +7013,7 @@ static KRML_MUSTINLINE */ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_07_35(); + return libcrux_ml_kem_ind_cca_unpacked_default_07_db(); } /** @@ -7021,7 +7021,7 @@ libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) { */ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 libcrux_ml_kem_mlkem768_portable_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_1c_6e(); + return libcrux_ml_kem_ind_cca_unpacked_default_1c_bd(); } /** @@ -7041,7 +7041,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_52( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_a1( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *self, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { libcrux_ml_kem_ind_cpa_serialize_public_key_mut_3c( @@ -7068,10 +7068,10 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_e1( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_a4( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_52( + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_a1( &self->public_key, serialized); } @@ -7082,7 +7082,7 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_e1(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_a4(key_pair, serialized); } @@ -7098,7 +7098,7 @@ with const generics - K= 3 */ static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 -libcrux_ml_kem_ind_cpa_unpacked_clone_ef_b5( +libcrux_ml_kem_ind_cpa_unpacked_clone_ef_59( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[3U]; core_array___core__clone__Clone_for__Array_T__N___20__clone( @@ -7134,11 +7134,11 @@ with const generics - K= 3 */ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 -libcrux_ml_kem_ind_cca_unpacked_clone_28_5f( +libcrux_ml_kem_ind_cca_unpacked_clone_28_d3( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *self) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 lit; lit.ind_cpa_public_key = - libcrux_ml_kem_ind_cpa_unpacked_clone_ef_b5(&self->ind_cpa_public_key); + libcrux_ml_kem_ind_cpa_unpacked_clone_ef_59(&self->ind_cpa_public_key); uint8_t ret[32U]; core_array___core__clone__Clone_for__Array_T__N___20__clone( (size_t)32U, self->public_key_hash, ret, uint8_t, void *); @@ -7161,7 +7161,7 @@ with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 * -libcrux_ml_kem_ind_cca_unpacked_public_key_de_e7( +libcrux_ml_kem_ind_cca_unpacked_public_key_de_3d( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -7173,8 +7173,8 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *pk) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_28_5f( - libcrux_ml_kem_ind_cca_unpacked_public_key_de_e7(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_clone_28_d3( + libcrux_ml_kem_ind_cca_unpacked_public_key_de_3d(key_pair)); pk[0U] = uu____0; } @@ -7185,7 +7185,7 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, libcrux_ml_kem_types_MlKemPublicKey_15 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_52(public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_a1(public_key, serialized); } diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h index c283eae80..e305985cd 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_mlkem768_portable_types_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index 2e9dfdbc9..6cdf64314 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index cd92309a3..cfdd6e5d5 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -7,8 +7,8 @@ * Charon: 28d543bfacc902ba9cc2a734b76baae9583892a4 * Eurydice: 1a65dbf3758fe310833718c645a64266294a29ac * Karamel: 15d4bce74a2d43e34a64f48f8311b7d9bcb0e152 - * F*: 650b216aeb5901ec6f1c44ff275acd924e54bdbd - * Libcrux: b1ecb428c60dd375b8bdd05c258cd0e4d5f1fec1 + * F*: 3063d19312f8ec3af5945f24ed3ebbb6b6cd9678 + * Libcrux: a089e8609d2bf2df5c165076a79e3fd30dbf87cf */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst index ac2d0d4c1..c6edc5b32 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst @@ -101,11 +101,12 @@ let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: i16)) in + let t512:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s + in + let _:Prims.unit = assert (forall i. get_lane t512 i == 512s) in let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t0 - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t0 t512 in let _:Prims.unit = assert (forall i. get_lane t1 i == get_lane t0 i +. 512s) in let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 5ab43253f..d0c07fe84 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -11,6 +11,7 @@ let _ = () [@@"opaque_to_smt"] + let deserialize_1___deserialize_1_i16s (a b: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a @@ -27,6 +28,7 @@ let deserialize_1___deserialize_1_i16s (a b: i16) = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb [@@"opaque_to_smt"] + let deserialize_1___deserialize_1_u8s (a b: u8) = deserialize_1___deserialize_1_i16s (cast (a <: u8) <: i16) (cast (b <: u8) <: i16) @@ -36,6 +38,7 @@ let deserialize_1_ (bytes: t_Slice u8) = deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8) [@@"opaque_to_smt"] + let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b7 b7 b6 b6 b5 b5 b4 b4 b3 b3 b2 b2 b1 b1 b0 b0 @@ -59,6 +62,7 @@ let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = Libcrux_intrinsics.Avx2_extract.t_Vec256) [@@"opaque_to_smt"] + let deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) = deserialize_4___deserialize_4_i16s (cast (b0 <: u8) <: i16) (cast (b1 <: u8) <: i16) @@ -453,6 +457,7 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options [@@"opaque_to_smt"] + let deserialize_10___deserialize_10_vec (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) = @@ -523,6 +528,7 @@ let deserialize_10_ (bytes: t_Slice u8) = Libcrux_intrinsics.Avx2_extract.t_Vec128) [@@"opaque_to_smt"] + let deserialize_12___deserialize_12_vec (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index 31c67d6b2..cbc90050c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -3,7 +3,7 @@ module Libcrux_ml_kem.Vector.Traits open Core open FStar.Mul -#push-options "--z3rlimit 100" +#push-options "--z3rlimit 200 --split_queries always" let decompress_1_ (#v_T: Type0) diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs index 11749144a..7f6d7e6b3 100644 --- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs @@ -145,7 +145,9 @@ const BARRETT_MULTIPLIER: i16 = 20159; pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); hax_lib::fstar!("assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))"); - let t1 = mm256_add_epi16(t0, mm256_set1_epi16(512)); + let t512 = mm256_set1_epi16(512); + hax_lib::fstar!("assert (forall i. get_lane $t512 i == 512s)"); + let t1 = mm256_add_epi16(t0, t512); hax_lib::fstar!("assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"); let quotient = mm256_srai_epi16::<10>(t1); hax_lib::fstar!( diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs index 3dd66ac97..438ab4dd4 100644 --- a/libcrux-ml-kem/src/vector/traits.rs +++ b/libcrux-ml-kem/src/vector/traits.rs @@ -235,7 +235,7 @@ pub fn to_unsigned_representative(a: T) -> T { T::add(a, &fm) } -#[hax_lib::fstar::options("--z3rlimit 100")] +#[hax_lib::fstar::options("--z3rlimit 200 --split_queries always")] #[hax_lib::requires(fstar!("forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in (x == 0s \\/ x == 1s)"))] pub fn decompress_1(vec: T) -> T {