diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 2e260a6b..16d93fb1 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -3,6 +3,8 @@ module Libcrux_intrinsics.Avx2_extract open Core open FStar.Mul +val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + unfold type t_Vec128 = bit_vec 128 val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i @@ -11,6 +13,8 @@ unfold type t_Vec256 = bit_vec 256 val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i +val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_add_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True @@ -22,16 +26,30 @@ val mm256_add_epi16 (lhs rhs: t_Vec256) val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_castsi128_si256 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_cvtepi16_epi32 (vector: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -41,9 +59,14 @@ val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_V val mm256_loadu_si256_i16 (input: t_Slice i16) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i32 (input: t_Slice i32) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_mulhi_epi16 (lhs rhs: t_Vec256) @@ -59,6 +82,8 @@ val mm256_mulhi_epi16 (lhs rhs: t_Vec256) val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) @@ -75,8 +100,13 @@ val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prim include BitVec.Intrinsics {mm256_set_epi32} +val mm256_set_epi64x (input3 input2 input1 input0: i64) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm256_set_epi8} +val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) @@ -84,6 +114,8 @@ val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) include BitVec.Intrinsics {mm256_shuffle_epi8} +val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -107,8 +139,23 @@ val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi32 (vector counts: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_srlv_epi64 (vector counts: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) - : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice i16) + Prims.l_True + (ensures + fun output_future -> + let output_future:t_Slice i16 = output_future in + (Core.Slice.impl__len #i16 output_future <: usize) =. + (Core.Slice.impl__len #i16 output <: usize)) + +val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) @@ -122,6 +169,10 @@ val mm256_sub_epi16 (lhs rhs: t_Vec256) vec256_as_i16x16 result == Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) +val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + val mm256_unpackhi_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -174,20 +225,26 @@ val mm_set1_epi16 (constant: i16) let result:t_Vec128 = result in vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) +val mm_set_epi32 (input3 input2 input1 input0: i32) + : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm_set_epi8} include BitVec.Intrinsics {mm_shuffle_epi8} +val mm_sllv_epi32 (vector counts: t_Vec128) + : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) + +val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128) + : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm_storeu_bytes_si128} val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128) - : Prims.Pure (t_Slice i16) - Prims.l_True - (ensures - fun output_future -> - let output_future:t_Slice i16 = output_future in - (Core.Slice.impl__len #i16 output_future <: usize) =. - (Core.Slice.impl__len #i16 output <: usize)) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + +val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) val mm_sub_epi16 (lhs rhs: t_Vec128) : Prims.Pure t_Vec128 @@ -198,6 +255,9 @@ val mm_sub_epi16 (lhs rhs: t_Vec128) vec128_as_i16x8 result == Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) +val vec256_blendv_epi32 (a b mask: t_Vec256) + : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} val lemma_mm256_and_si256 lhs rhs : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 7a551b67..1bff5393 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -4,12 +4,43 @@ open Core open FStar.Mul let inz (value: u8) = + let v__orig_value:u8 = value in let value:u16 = cast (value <: u8) <: u16 in - let result:u16 = - ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. - 1us + let result:u8 = + cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) <: u8 in - cast (result <: u16) <: u8 + let res:u8 = result &. 1uy in + let _:Prims.unit = + if v v__orig_value = 0 + then + (assert (value == zero); + lognot_lemma value; + assert ((~.value +. 1us) == zero); + assert ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) == zero); + logor_lemma value zero; + assert ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) == + value); + assert (v result == v ((value >>! 8l))); + assert ((v value / pow2 8) == 0); + assert (result == 0uy); + logand_lemma 1uy result; + assert (res == 0uy)) + else + (assert (v value <> 0); + lognot_lemma value; + assert (v (~.value) = pow2 16 - 1 - v value); + assert (v (~.value) + 1 = pow2 16 - v value); + assert (v (value) <= pow2 8 - 1); + assert ((v (~.value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v value)); + assert ((v (~.value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v value)); + assert ((v (~.value) + 1) / pow2 8 = (pow2 8 - 1)); + assert (v ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l) = + pow2 8 - 1); + assert (result = ones); + logand_lemma 1uy result; + assert (res = 1uy)) + in + res let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8) @@ -18,43 +49,143 @@ let compare (lhs rhs: t_Slice u8) = let r:u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #u8 lhs <: usize) - (fun r temp_1_ -> + (fun r i -> let r:u8 = r in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i <= Seq.length lhs /\ + (if (Seq.slice lhs 0 (v i) = Seq.slice rhs 0 (v i)) then r == 0uy else ~(r == 0uy))) r (fun r i -> let r:u8 = r in let i:usize = i in - r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8) + let nr:u8 = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) in + let _:Prims.unit = + if r =. 0uy + then + (if (Seq.index lhs (v i) = Seq.index rhs (v i)) + then + (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); + assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) = zero); + logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); + assert (nr = r); + assert (forall j. Seq.index (Seq.slice lhs 0 (v i)) j == Seq.index lhs j); + assert (forall j. Seq.index (Seq.slice rhs 0 (v i)) j == Seq.index rhs j); + eq_intro (Seq.slice lhs 0 ((v i) + 1)) (Seq.slice rhs 0 ((v i) + 1))) + else + (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); + assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <> zero); + logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); + assert (v nr > 0); + assert (Seq.index (Seq.slice lhs 0 ((v i) + 1)) (v i) <> + Seq.index (Seq.slice rhs 0 ((v i) + 1)) (v i)); + assert (Seq.slice lhs 0 ((v i) + 1) <> Seq.slice rhs 0 ((v i) + 1)))) + else + (logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); + assert (v nr >= v r); + assert (Seq.slice lhs 0 (v i) <> Seq.slice rhs 0 (v i)); + if (Seq.slice lhs 0 ((v i) + 1) = Seq.slice rhs 0 ((v i) + 1)) + then + (assert (forall j. + j < (v i) + 1 ==> + Seq.index (Seq.slice lhs 0 ((v i) + 1)) j == + Seq.index (Seq.slice rhs 0 ((v i) + 1)) j); + eq_intro (Seq.slice lhs 0 (v i)) (Seq.slice rhs 0 (v i)); + assert (False))) + in + let r:u8 = nr in + r) in is_non_zero r let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = Core.Hint.black_box #u8 (compare lhs rhs <: u8) +#push-options "--ifuel 0 --z3rlimit 50" + let select_ct (lhs rhs: t_Slice u8) (selector: u8) = let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in + let _:Prims.unit = + assert (if selector = 0uy then mask = ones else mask = zero); + lognot_lemma mask; + assert (if selector = 0uy then ~.mask = zero else ~.mask = ones) + in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - (fun out temp_1_ -> + (fun out i -> let out:t_Array u8 (sz 32) = out in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i <= v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /\ + (forall j. + j < v i ==> + (if (selector =. 0uy) + then Seq.index out j == Seq.index lhs j + else Seq.index out j == Seq.index rhs j)) /\ + (forall j. j >= v i ==> Seq.index out j == 0uy)) out (fun out i -> let out:t_Array u8 (sz 32) = out in let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) - <: - t_Array u8 (sz 32)) + let _:Prims.unit = assert ((out.[ i ] <: u8) = 0uy) in + let outi:u8 = + ((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + in + let _:Prims.unit = + if (selector = 0uy) + then + (logand_lemma (lhs.[ i ] <: u8) mask; + assert (((lhs.[ i ] <: u8) &. mask <: u8) == (lhs.[ i ] <: u8)); + logand_lemma (rhs.[ i ] <: u8) (~.mask); + assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == zero); + logor_lemma ((lhs.[ i ] <: u8) &. mask <: u8) + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8); + assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + <: + u8) == + (lhs.[ i ] <: u8)); + logor_lemma (out.[ i ] <: u8) (lhs.[ i ] <: u8); + assert (((out.[ i ] <: u8) |. + (((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + <: + u8) + <: + u8) == + (lhs.[ i ] <: u8)); + assert (outi = (lhs.[ i ] <: u8))) + else + (logand_lemma (lhs.[ i ] <: u8) mask; + assert (((lhs.[ i ] <: u8) &. mask <: u8) == zero); + logand_lemma (rhs.[ i ] <: u8) (~.mask); + assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == (rhs.[ i ] <: u8)); + logor_lemma (rhs.[ i ] <: u8) zero; + assert ((logor zero (rhs.[ i ] <: u8)) == (rhs.[ i ] <: u8)); + assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)) == + (rhs.[ i ] <: u8)); + logor_lemma (out.[ i ] <: u8) (rhs.[ i ] <: u8); + assert (((out.[ i ] <: u8) |. + (((lhs.[ i ] <: u8) &. mask <: u8) |. + ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) + <: + u8) + <: + u8) == + (rhs.[ i ] <: u8)); + assert (outi = (rhs.[ i ] <: u8))) + in + let out:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i outi + in + out) in + let _:Prims.unit = if (selector =. 0uy) then (eq_intro out lhs) else (eq_intro out rhs) in out +#pop-options + let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index a8ac4ec4..dc6fd2b4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -4,21 +4,39 @@ open Core open FStar.Mul /// Return 1 if `value` is not zero and 0 otherwise. -val inz (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val inz (value: u8) + : Prims.Pure u8 + Prims.l_True + (ensures + fun result -> + let result:u8 = result in + (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) -val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val is_non_zero (value: u8) + : Prims.Pure u8 + Prims.l_True + (ensures + fun result -> + let result:u8 = result in + (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. val compare (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:u8 = result in + (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:u8 = result in + (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. @@ -27,14 +45,20 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s rhs_s: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) @@ -42,4 +66,8 @@ val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s (Core.Slice.impl__len #u8 lhs_c <: usize) =. (Core.Slice.impl__len #u8 rhs_c <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. (Core.Slice.impl__len #u8 rhs_s <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + let selector = if lhs_c =. rhs_c then 0uy else 1uy in + ((selector == 0uy ==> result == lhs_s) /\ (selector =!= 0uy ==> result == rhs_s))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index d20d346d..c5f3a6c6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -8,11 +8,23 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + private_key + ciphertext + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,7 +36,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Ind_cca.t_MlKem private_key ciphertext + #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -36,7 +48,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Ind_cca.t_MlKem public_key randomness + #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: @@ -46,7 +58,7 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - randomness + #Libcrux_ml_kem.Variant.t_MlKem randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -57,42 +69,3 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector public_key - -let encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate_unpacked v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness - -let decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate_unpacked v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - key_pair ciphertext - -let generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair_unpacked v_K v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index a56b7409..2d0031d3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -8,11 +8,22 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in let open Libcrux_ml_kem.Vector.Traits in () +/// Portable private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -80,34 +91,3 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) - -/// Portable encapsualte -val encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Portable decapsulate -val decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Unpacked API -val generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index 2434aff9..dca261dd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -8,11 +8,23 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + private_key + ciphertext + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,7 +36,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Ind_cca.t_MlKem private_key + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext let encapsulate @@ -37,7 +49,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Ind_cca.t_MlKem public_key + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair @@ -48,7 +60,7 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -59,42 +71,3 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector public_key - -let encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate_unpacked v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness - -let decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate_unpacked v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext - -let generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair_unpacked v_K v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index ebed5369..e244a6ec 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -8,11 +8,22 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in let open Libcrux_ml_kem.Vector.Traits in () +/// Portable private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -80,36 +91,3 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) - -/// Portable encapsualte -val encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Portable decapsulate -val decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Unpacked API -val generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 7e5da18e..333f8fbb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -8,11 +8,23 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) + private_key + ciphertext + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,7 +36,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext let encapsulate @@ -37,7 +49,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair @@ -48,7 +60,8 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem + randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -59,42 +72,3 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector public_key - -let encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate_unpacked v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness - -let decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate_unpacked v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext - -let generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair_unpacked v_K v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 7dde6289..b62f5b8f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -8,11 +8,22 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in - let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in let open Libcrux_ml_kem.Vector.Traits in () +/// Portable private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -80,36 +91,3 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) - -/// Portable encapsualte -val encapsulate_unpacked - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Portable decapsulate -val decapsulate_unpacked - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Unpacked API -val generate_keypair_unpacked - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index 2ca3571c..2fbb2ea3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -3,6 +3,26 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + private_key + ciphertext + +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -91,26 +111,3 @@ let generate_keypair v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - if Libcrux_platform.Platform.simd256_support () - then - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - else - if Libcrux_platform.Platform.simd128_support () - then - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - else - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index f74dd66e..4e231ea6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -3,6 +3,26 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) + +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -57,13 +77,3 @@ val generate_keypair v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) - -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index 950cb476..6b2e8400 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -7,12 +7,63 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in let open Libcrux_ml_kem.Polynomial in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate_unpacked +let impl__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + = + Core.Convert.f_into #(t_Array u8 v_PUBLIC_KEY_SIZE) + #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + <: + t_Array u8 v_PUBLIC_KEY_SIZE) + +let impl__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = + { + serialized with + Libcrux_ml_kem.Types.f_value + = + Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + serialized.Libcrux_ml_kem.Types.f_value + } + <: + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE + in + serialized + +let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -72,7 +123,194 @@ let encapsulate_unpacked <: (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -let decapsulate_unpacked +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + = + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + #v_Vector + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Libcrux_ml_kem.Utils.into_padded_array (sz 32) + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + <: + t_Array u8 (sz 34)) + false + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_public_key_hash + = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + unpacked_public_key + +let impl_2__private_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_private_key + +let impl_2__public_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_public_key + +let impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not yet implemented" + <: + Rust_primitives.Hax.t_Never) + +let impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = + impl__serialized_public_key v_K + #v_Vector + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + self.f_public_key + +let impl_2__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + = + let hax_temp_output, serialized:(Prims.unit & + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = + (), + impl__serialized_public_key_mut v_K + #v_Vector + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + self.f_public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + in + serialized + +let impl_2__new + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (_: Prims.unit) + = + Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () + +let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -176,17 +414,19 @@ let decapsulate_unpacked (implicit_rejection_shared_secret <: t_Slice u8) selector -let generate_keypair_unpacked +let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (randomness: t_Array u8 (sz 64)) + (out: t_MlKemKeyPairUnpacked v_K v_Vector) = let ind_cpa_keypair_randomness:t_Slice u8 = randomness.[ { @@ -203,16 +443,41 @@ let generate_keypair_unpacked <: Core.Ops.Range.t_RangeFrom usize ] in - let ind_cpa_private_key, ind_cpa_public_key:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked - v_K v_Vector & + let tmp0, tmp1:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = Libcrux_ml_kem.Ind_cpa.generate_keypair_unpacked v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher + #v_Scheme ind_cpa_keypair_randomness + out.f_private_key.f_ind_cpa_private_key + out.f_public_key.f_ind_cpa_public_key in + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_private_key + = + { out.f_private_key with f_ind_cpa_private_key = tmp0 } + <: + t_MlKemPrivateKeyUnpacked v_K v_Vector + } + <: + t_MlKemKeyPairUnpacked v_K v_Vector + in + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_public_key + = + { out.f_public_key with f_ind_cpa_public_key = tmp1 } <: t_MlKemPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemKeyPairUnpacked v_K v_Vector + in + let _:Prims.unit = () in let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K @@ -222,7 +487,7 @@ let generate_keypair_unpacked v_K (fun v__j -> let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -270,7 +535,8 @@ let generate_keypair_unpacked (Core.Clone.f_clone #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) #FStar.Tactics.Typeclasses.solve - ((ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A.[ j ] + ((out.f_public_key.f_ind_cpa_public_key + .Libcrux_ml_kem.Ind_cpa.Unpacked.f_A.[ j ] <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K).[ i ] @@ -286,49 +552,77 @@ let generate_keypair_unpacked <: t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) in - let ind_cpa_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A } + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_public_key + = + { + out.f_public_key with + f_ind_cpa_public_key + = + { out.f_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + } <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + t_MlKemKeyPairUnpacked v_K v_Vector in let pk_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K v_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE #v_Vector - ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) - in - let public_key_hash:t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (pk_serialized <: t_Slice u8) - in - let (implicit_rejection_value: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - implicit_rejection_value + out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (out.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + t_Slice u8) in - { - f_private_key - = + let out:t_MlKemKeyPairUnpacked v_K v_Vector = { - f_ind_cpa_private_key = ind_cpa_private_key; - f_implicit_rejection_value = implicit_rejection_value + out with + f_public_key + = + { + out.f_public_key with + f_public_key_hash + = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (pk_serialized <: t_Slice u8) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector } <: - t_MlKemPrivateKeyUnpacked v_K v_Vector; - f_public_key - = - { f_ind_cpa_public_key = ind_cpa_public_key; f_public_key_hash = public_key_hash } + t_MlKemKeyPairUnpacked v_K v_Vector + in + let out:t_MlKemKeyPairUnpacked v_K v_Vector = + { + out with + f_private_key + = + { + out.f_private_key with + f_implicit_rejection_value + = + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + implicit_rejection_value + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } + <: + t_MlKemPrivateKeyUnpacked v_K v_Vector + } <: - t_MlKemPublicKeyUnpacked v_K v_Vector - } - <: - t_MlKemKeyPairUnpacked v_K v_Vector + t_MlKemKeyPairUnpacked v_K v_Vector + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index 2e16c3c1..b31715e2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -7,8 +7,10 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in let open Libcrux_ml_kem.Polynomial in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -28,7 +30,57 @@ type t_MlKemPublicKeyUnpacked f_public_key_hash:t_Array u8 (sz 32) } -val encapsulate_unpacked +/// Get the serialized public key. +val impl__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKeyUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_ind_cpa_public_key + = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K + v_Vector) + #FStar.Tactics.Typeclasses.solve + (); + f_public_key_hash = Rust_primitives.Hax.repeat 0uy (sz 32) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + } + +val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -40,6 +92,16 @@ val encapsulate_unpacked Prims.l_True (fun _ -> Prims.l_True) +/// Generate an unpacked key from a serialized key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + /// An unpacked ML-KEM KeyPair type t_MlKemKeyPairUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -48,7 +110,100 @@ type t_MlKemKeyPairUnpacked f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector } -val decapsulate_unpacked +/// Get the serialized public key. +val impl_2__private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__public_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized private key. +val impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_K) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3 + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemKeyPairUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_private_key + = + { + f_ind_cpa_private_key + = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K + v_Vector) + #FStar.Tactics.Typeclasses.solve + (); + f_implicit_rejection_value = Rust_primitives.Hax.repeat 0uy (sz 32) + } + <: + t_MlKemPrivateKeyUnpacked v_K v_Vector; + f_public_key + = + Core.Default.f_default #(t_MlKemPublicKeyUnpacked v_K v_Vector) + #FStar.Tactics.Typeclasses.solve + () + } + <: + t_MlKemKeyPairUnpacked v_K v_Vector + } + +/// Create a new empty unpacked key pair. +val impl_2__new: + v_K: usize -> + #v_Vector: Type0 -> + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> + Prims.unit + -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -58,11 +213,14 @@ val decapsulate_unpacked (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val generate_keypair_unpacked +/// Generate Unpacked Keys +val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (randomness: t_Array u8 (sz 64)) + (out: t_MlKemKeyPairUnpacked v_K v_Vector) : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 81254988..1a64404c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -8,6 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -170,7 +171,7 @@ let validate_public_key (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: @@ -192,7 +193,37 @@ let validate_public_key in public_key =. public_key_serialized -#push-options "--admit_smt_queries true" +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + let t:t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = sz 384 *! v_K <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let expected:t_Slice u8 = + private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + in + t =. expected #push-options "--z3rlimit 500" @@ -206,10 +237,14 @@ let decapsulate (#[FStar.Tactics.Typeclasses.tcresolve ()] i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: t_Variant v_Scheme) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = + let _:Prims.unit = + assert (v v_CIPHERTEXT_SIZE == + v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) + in let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8) @@ -221,6 +256,20 @@ let decapsulate let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in + let _:Prims.unit = + assert (ind_cpa_secret_key == slice private_key.f_value (sz 0) v_CPA_SECRET_KEY_SIZE); + assert (ind_cpa_public_key == + slice private_key.f_value v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) + ); + assert (ind_cpa_public_key_hash == + slice private_key.f_value + (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) + (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); + assert (implicit_rejection_value == + slice private_key.f_value + (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) + (length private_key.f_value)) + in let decrypted:t_Array u8 (sz 32) = Libcrux_ml_kem.Ind_cpa.decrypt v_K v_CIPHERTEXT_SIZE @@ -234,6 +283,7 @@ let decapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) decrypted in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -249,6 +299,11 @@ let decapsulate <: t_Slice u8) in + let _:Prims.unit = + lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; + assert (decrypted == Spec.MLKEM.ind_cpa_decrypt v_K ind_cpa_secret_key ciphertext.f_value); + assert (to_hash == concat decrypted ind_cpa_public_key_hash) + in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -260,11 +315,21 @@ let decapsulate (hashed <: t_Slice u8) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE in + let _:Prims.unit = + assert ((shared_secret, pseudorandomness) == + split hashed Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE); + assert (length implicit_rejection_value = + v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE); + assert (length implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); + assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + in let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE implicit_rejection_value in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) implicit_rejection_value in let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -285,8 +350,12 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = assert (v (sz 32) < pow2 32) in - let _:Prims.unit = assert (i4.f_PRF_pre (sz 32) to_hash) in + let _:Prims.unit = + assert_norm (pow2 32 == 0x100000000); + assert (v (sz 32) < pow2 32); + assert (i4.f_PRF_pre (sz 32) to_hash); + lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value + in let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher #v_K @@ -294,6 +363,10 @@ let decapsulate (sz 32) (to_hash <: t_Slice u8) in + let _:Prims.unit = + assert (implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) to_hash); + assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE) + in let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 @@ -301,7 +374,7 @@ let decapsulate decrypted pseudorandomness in let implicit_rejection_shared_secret:t_Array u8 (sz 32) = - f_kdf #v_Scheme + Libcrux_ml_kem.Variant.f_kdf #v_Scheme #FStar.Tactics.Typeclasses.solve v_K v_CIPHERTEXT_SIZE @@ -310,7 +383,7 @@ let decapsulate ciphertext in let shared_secret:t_Array u8 (sz 32) = - f_kdf #v_Scheme + Libcrux_ml_kem.Variant.f_kdf #v_Scheme #FStar.Tactics.Typeclasses.solve v_K v_CIPHERTEXT_SIZE @@ -331,8 +404,6 @@ let decapsulate #pop-options -#pop-options - #push-options "--z3rlimit 150" let encapsulate @@ -345,12 +416,12 @@ let encapsulate (#[FStar.Tactics.Typeclasses.tcresolve ()] i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: t_Variant v_Scheme) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = let randomness:t_Array u8 (sz 32) = - f_entropy_preprocess #v_Scheme + Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme #FStar.Tactics.Typeclasses.solve v_K #v_Hasher @@ -359,6 +430,7 @@ let encapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } @@ -373,12 +445,17 @@ let encapsulate (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_17__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) <: t_Slice u8) <: t_Slice u8) in + let _:Prims.unit = + assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); + lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); + assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) + in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -394,7 +471,7 @@ let encapsulate Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_17__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness pseudorandomness in let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = @@ -404,7 +481,7 @@ let encapsulate ciphertext in let shared_secret_array:t_Array u8 (sz 32) = - f_kdf #v_Scheme + Libcrux_ml_kem.Variant.f_kdf #v_Scheme #FStar.Tactics.Typeclasses.solve v_K v_CIPHERTEXT_SIZE @@ -412,26 +489,23 @@ let encapsulate shared_secret ciphertext in - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) = - ciphertext, shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + ciphertext, shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) #pop-options let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (randomness: t_Array u8 (sz 64)) = let ind_cpa_keypair_randomness:t_Slice u8 = @@ -451,14 +525,8 @@ let generate_keypair in let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = - Libcrux_ml_kem.Ind_cpa.generate_keypair v_K - v_CPA_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - #v_Vector - #v_Hasher + Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme ind_cpa_keypair_randomness in let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = @@ -476,7 +544,7 @@ let generate_keypair #FStar.Tactics.Typeclasses.solve secret_key_serialized in - Libcrux_ml_kem.Types.impl_18__from v_PRIVATE_KEY_SIZE + Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE private_key (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 69d9a3cb..0ae396fd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -8,6 +8,7 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Types in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -39,13 +40,10 @@ val serialize_kem_secret_key (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) )) -/// Implements [`Variant`], to perform the ML-KEM-specific actions -/// during encapsulation and decapsulation. -/// Specifically, -/// * during encapsulation, the initial randomness is used without prior hashing, -/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext. -type t_MlKem = | MlKem : t_MlKem - +/// Validate an ML-KEM public key. +/// This implements the Modulus check in 7.2 2. +/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the +/// `public_key` type. val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) @@ -58,153 +56,21 @@ val validate_public_key v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) -/// This trait collects differences in specification between ML-KEM -/// (Draft FIPS 203) and the Round 3 CRYSTALS-Kyber submission in the -/// NIST PQ competition. -/// cf. FIPS 203 (Draft), section 1.3 -class t_Variant (v_Self: Type0) = { - f_kdf_pre: - v_K: usize -> - v_CIPHERTEXT_SIZE: usize -> - #v_Hasher: Type0 -> - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> pred: Type0{(Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32 ==> pred}; - f_kdf_post: - v_K: usize -> - v_CIPHERTEXT_SIZE: usize -> - #v_Hasher: Type0 -> - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == shared_secret}; - f_kdf: - v_K: usize -> - v_CIPHERTEXT_SIZE: usize -> - #v_Hasher: Type0 -> - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - x0: t_Slice u8 -> - x1: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> Prims.Pure (t_Array u8 (sz 32)) - (f_kdf_pre v_K v_CIPHERTEXT_SIZE #v_Hasher #i1 x0 x1) - (fun result -> f_kdf_post v_K v_CIPHERTEXT_SIZE #v_Hasher #i1 x0 x1 result); - f_entropy_preprocess_pre: - v_K: usize -> - #v_Hasher: Type0 -> - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 randomness <: usize) =. sz 32 ==> pred}; - f_entropy_preprocess_post: - v_K: usize -> - #v_Hasher: Type0 -> - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - t_Slice u8 -> - t_Array u8 (sz 32) - -> Type0; - f_entropy_preprocess: - v_K: usize -> - #v_Hasher: Type0 -> - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - x0: t_Slice u8 - -> Prims.Pure (t_Array u8 (sz 32)) - (f_entropy_preprocess_pre v_K #v_Hasher #i3 x0) - (fun result -> f_entropy_preprocess_post v_K #v_Hasher #i3 x0 result) -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: t_Variant t_MlKem = - { - f_kdf_pre - = - (fun - (v_K: usize) - (v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (shared_secret: t_Slice u8) - (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - -> - (Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32); - f_kdf_post - = - (fun - (v_K: usize) - (v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (shared_secret: t_Slice u8) - (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (out: t_Array u8 (sz 32)) - -> - out == shared_secret); - f_kdf - = - (fun - (v_K: usize) - (v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (shared_secret: t_Slice u8) - (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - -> - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - shared_secret - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)); - f_entropy_preprocess_pre - = - (fun - (v_K: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (randomness: t_Slice u8) - -> - (Core.Slice.impl__len #u8 randomness <: usize) =. sz 32); - f_entropy_preprocess_post - = - (fun - (v_K: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (randomness: t_Slice u8) - (out: t_Array u8 (sz 32)) - -> - true); - f_entropy_preprocess - = - fun - (v_K: usize) +/// Validate an ML-KEM private key. +/// This implements the Hash check in 7.3 3. +/// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` +/// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (randomness: t_Slice u8) - -> - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - randomness - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - } + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) /// This code verifies on some machines, runs out of memory on others val decapsulate @@ -213,7 +79,7 @@ val decapsulate (#v_Vector #v_Hasher #v_Scheme: Type0) {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: t_Variant v_Scheme |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) @@ -245,7 +111,7 @@ val encapsulate (#v_Vector #v_Hasher #v_Scheme: Type0) {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: t_Variant v_Scheme |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) @@ -276,9 +142,10 @@ val encapsulate val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) (requires diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti index f386e8df..a0ce8456 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti @@ -14,6 +14,32 @@ type t_IndCpaPrivateKeyUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K } +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPrivateKeyUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_secret_as_ntt + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + } + <: + t_IndCpaPrivateKeyUnpacked v_K v_Vector + } + /// An unpacked ML-KEM IND-CPA Private Key type t_IndCpaPublicKeyUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -22,3 +48,41 @@ type t_IndCpaPublicKeyUnpacked f_seed_for_A:t_Array u8 (sz 32); f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + : Core.Default.t_Default (t_IndCpaPublicKeyUnpacked v_K v_Vector) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_IndCpaPublicKeyUnpacked v_K v_Vector) -> true); + f_default + = + fun (_: Prims.unit) -> + { + f_t_as_ntt + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K; + f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32); + f_A + = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO + #v_Vector + () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + v_K + } + <: + t_IndCpaPublicKeyUnpacked v_K v_Vector + } diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index 7aff6f7e..5bb6b921 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -7,6 +7,8 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -27,7 +29,7 @@ let sample_ring_element_cbd v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -108,18 +110,10 @@ let sample_vector_cbd_then_ntt (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) = - let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in let v__domain_separator_init:u8 = domain_separator in let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = @@ -189,6 +183,46 @@ let sample_vector_cbd_then_ntt in re_as_ntt) in + let result:u8 = domain_separator in + let _:Prims.unit = admit () (* Panic freedom *) in + let hax_temp_output:u8 = result in + re_as_ntt, hax_temp_output + <: + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + +let sample_vector_cbd_then_ntt_out + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + = + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = + sample_vector_cbd_then_ntt v_K + v_ETA + v_ETA_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + re_as_ntt + prf_input + domain_separator + in + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = tmp0 in + let domain_separator:u8 = out in let result:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = re_as_ntt, domain_separator <: @@ -197,8 +231,6 @@ let sample_vector_cbd_then_ntt let _:Prims.unit = admit () (* Panic freedom *) in result -#push-options "--z3rlimit 200" - let compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) (#v_Vector: Type0) @@ -219,7 +251,9 @@ let compress_then_serialize_u (fun out i -> let out:t_Slice u8 = out in let i:usize = i in - (Core.Slice.impl__len #u8 out <: usize) =. v_OUT_LEN <: bool) + v i < v v_K ==> + (Seq.length out == v v_OUT_LEN /\ + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input (v i)))) out (fun out temp_1_ -> let out:t_Slice u8 = out in @@ -263,8 +297,6 @@ let compress_then_serialize_u let hax_temp_output:Prims.unit = result in out -#pop-options - #push-options "--admit_smt_queries true" let deserialize_then_decompress_u @@ -280,7 +312,7 @@ let deserialize_then_decompress_u v_K (fun temp_0_ -> let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -342,7 +374,7 @@ let deserialize_secret_key v_K (fun temp_0_ -> let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -439,7 +471,7 @@ let serialize_secret_key #pop-options -let serialize_public_key +let serialize_public_key_mut (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -447,17 +479,15 @@ let serialize_public_key Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) = - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range public_key_serialized + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 - (public_key_serialized.[ { + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } @@ -471,13 +501,13 @@ let serialize_public_key <: t_Slice u8) in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from public_key_serialized + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } <: Core.Ops.Range.t_RangeFrom usize) (Core.Slice.impl__copy_from_slice #u8 - (public_key_serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } <: Core.Ops.Range.t_RangeFrom usize ] <: @@ -486,6 +516,30 @@ let serialize_public_key <: t_Slice u8) in + let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in + serialized + +let serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + = + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + tt_as_ntt + seed_for_a + public_key_serialized + in let result:t_Array u8 v_PUBLIC_KEY_SIZE = public_key_serialized in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -578,7 +632,13 @@ let encrypt_unpacked let r_as_ntt, domain_separator:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = - sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher prf_input 0uy + sample_vector_cbd_then_ntt_out v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + prf_input + 0uy in let error_1_, domain_separator:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & @@ -675,42 +735,44 @@ let encrypt (message: t_Array u8 (sz 32)) (randomness: t_Slice u8) = - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K - #v_Vector - (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + #v_Vector + (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeTo usize ] <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) + t_Slice u8) + unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in let seed:t_Slice u8 = public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE } <: Core.Ops.Range.t_RangeFrom usize ] in - let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) - false - in - let (seed_for_A: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - in - let public_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = { - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = tt_as_ntt; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A = seed_for_A + unpacked_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) + false } <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector @@ -718,50 +780,72 @@ let encrypt let result:t_Array u8 v_CIPHERTEXT_SIZE = encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher public_key_unpacked message randomness + v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness in let _:Prims.unit = admit () (* Panic freedom *) in result let generate_keypair_unpacked (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K + Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme #FStar.Tactics.Typeclasses.solve + v_K + #v_Hasher key_generation_seed in let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32) in - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) - true + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) + true + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error in - let secret_as_ntt, domain_separator:(t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher prf_input 0uy + let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = + sample_vector_cbd_then_ntt v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + prf_input + 0uy + in + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector in + let domain_separator:u8 = out in let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8 ) = - sample_vector_cbd_then_ntt v_K + sample_vector_cbd_then_ntt_out v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector @@ -769,77 +853,96 @@ let generate_keypair_unpacked prf_input domain_separator in - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Matrix.compute_As_plus_e v_K #v_Vector v_A_transpose secret_as_ntt error_as_ntt - in - let (seed_for_A: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - in - let pk:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = { - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = tt_as_ntt; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A = v_A_transpose; - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A = seed_for_A + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Matrix.compute_As_plus_e v_K + #v_Vector + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + error_as_ntt } <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let sk:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector - in - let result:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = - sk, pk + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } <: - (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let _:Prims.unit = admit () (* Panic freedom *) in - result + let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in + private_key, public_key + <: + (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (key_generation_seed: t_Slice u8) = - let sk, pk:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector + ) + #FStar.Tactics.Typeclasses.solve + () + in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let tmp0, tmp1:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = generate_keypair_unpacked v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher + #v_Scheme key_generation_seed + private_key + public_key in + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = tmp0 in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = tmp1 in + let _:Prims.unit = () in let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = serialize_public_key v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE #v_Vector - pk.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (pk.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) in let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = serialize_secret_key v_K v_PRIVATE_KEY_SIZE #v_Vector - sk.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt in let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = secret_key_serialized, public_key_serialized diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index edacb43f..11fd6f8e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -7,6 +7,8 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Ind_cpa.Unpacked in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -31,6 +33,7 @@ val sample_vector_cbd_then_ntt (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) @@ -40,12 +43,37 @@ val sample_vector_cbd_then_ntt range (v domain_separator + v v_K) u8_inttype) (ensures fun temp_0_ -> - let x, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + let re_as_ntt_future, ds:(t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = + temp_0_ + in + v ds == v domain_separator + v v_K /\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt_future == + Spec.MLKEM.sample_vector_cbd_then_ntt #v_K + (Seq.slice prf_input 0 32) + (sz (v domain_separator))) + +val sample_vector_cbd_then_ntt_out + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + (requires + Spec.MLKEM.is_rank v_K /\ v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA == Spec.MLKEM.v_ETA1 v_K /\ v domain_separator < 2 * v v_K /\ + range (v domain_separator + v v_K) u8_inttype) + (ensures + fun temp_0_ -> + let re, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = temp_0_ in v ds == v domain_separator + v v_K /\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector x == + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re == Spec.MLKEM.sample_vector_cbd_then_ntt #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator))) @@ -61,7 +89,10 @@ val compress_then_serialize_u (requires Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ Core.Slice.impl__len #u8 out == v_OUT_LEN) + v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ Core.Slice.impl__len #u8 out == v_OUT_LEN /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input i))) (ensures fun out_future -> let out_future:t_Slice u8 = out_future in @@ -120,6 +151,27 @@ val serialize_secret_key Spec.MLKEM.vector_encode_12 #v_K (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32) + (ensures + fun serialized_future -> + let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in + serialized_future == + Seq.append (Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) + seed_for_a) + /// Concatenate `t` and `ρ` into the public key. val serialize_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -310,24 +362,29 @@ val encrypt /// . val generate_keypair_unpacked (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) (requires Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K) + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) (fun _ -> Prims.l_True) val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (key_generation_seed: t_Slice u8) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) (requires diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst index fc12208e..49cb2159 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -315,7 +315,7 @@ let invert_ntt_montgomery let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_1__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index d407bc44..276b1673 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -16,94 +16,94 @@ let compute_As_plus_e (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (matrix_A: t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (s_as_ntt error_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Folds.fold_enumerated_slice (matrix_A <: t_Slice (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + tt_as_ntt in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + tt_as_ntt + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + tt_as_ntt in let i, row:(usize & t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = temp_1_ in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt + i + (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Folds.fold_enumerated_slice (row <: t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)) - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + tt_as_ntt in let _:usize = temp_1_ in true) - result - (fun result temp_1_ -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + tt_as_ntt + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result + tt_as_ntt in let j, matrix_element:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector matrix_element (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K - (result.[ i ] + (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) product <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - result) + tt_as_ntt) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_1__add_standard_error_reduce #v_Vector - (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector + (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - result) + tt_as_ntt) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = result in + let result:Prims.unit = () <: Prims.unit in let _:Prims.unit = admit () (* Panic freedom *) in - result + let hax_temp_output:Prims.unit = result in + tt_as_ntt let compute_ring_element_v (v_K: usize) @@ -115,7 +115,7 @@ let compute_ring_element_v (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -129,12 +129,12 @@ let compute_ring_element_v let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (r_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product in result) in @@ -142,7 +142,7 @@ let compute_ring_element_v Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__add_message_error_reduce #v_Vector error_2_ message result + Libcrux_ml_kem.Polynomial.impl_2__add_message_error_reduce #v_Vector error_2_ message result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let _:Prims.unit = admit () (* Panic freedom *) in @@ -163,7 +163,7 @@ let compute_vector_u v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -208,7 +208,7 @@ let compute_vector_u temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector a_element (r_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -216,7 +216,7 @@ let compute_vector_u v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K (result.[ i ] <: @@ -239,7 +239,7 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_1__add_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl_2__add_error_reduce #v_Vector (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -262,7 +262,7 @@ let compute_message t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -276,12 +276,12 @@ let compute_message let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product in result) in @@ -289,7 +289,7 @@ let compute_message Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__subtract_reduce #v_Vector v result + Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let _:Prims.unit = admit () (* Panic freedom *) in @@ -304,25 +304,11 @@ let sample_matrix_A (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (seed: t_Array u8 (sz 34)) (transpose: bool) = - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - v_K - (fun v__i -> - let v__i:usize = v__i in - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__j -> - let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in let v_A_transpose:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -431,9 +417,7 @@ let sample_matrix_A in v_A_transpose)) in - let result:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K - = - v_A_transpose - in + let result:Prims.unit = () <: Prims.unit in let _:Prims.unit = admit () (* Panic freedom *) in - result + let hax_temp_output:Prims.unit = result in + v_A_transpose diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index ac11905d..6947cb79 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -15,6 +15,7 @@ val compute_As_plus_e (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (matrix_A: t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (s_as_ntt error_as_ntt: @@ -22,10 +23,13 @@ val compute_As_plus_e : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (requires Spec.MLKEM.is_rank v_K) (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + fun tt_as_ntt_future -> + let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + tt_as_ntt_future + in let open Libcrux_ml_kem.Polynomial in - to_spec_vector_t res = + to_spec_vector_t tt_as_ntt_future = Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A) (to_spec_vector_t s_as_ntt) (to_spec_vector_t error_as_ntt)) @@ -102,21 +106,23 @@ val sample_matrix_A (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (seed: t_Array u8 (sz 34)) (transpose: bool) : Prims.Pure (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (requires Spec.MLKEM.is_rank v_K) (ensures - fun res -> - let res:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - v_K = - res + fun v_A_transpose_future -> + let v_A_transpose_future:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose_future in let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in valid ==> (if transpose - then Libcrux_ml_kem.Polynomial.to_spec_matrix_t res == matrix_A + then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A else - Libcrux_ml_kem.Polynomial.to_spec_matrix_t res == Spec.MLKEM.matrix_transpose matrix_A - )) + Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == + Spec.MLKEM.matrix_transpose matrix_A)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index 3becfc42..1ed6cc3c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate_unpacked (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate_unpacked (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair_unpacked (sz 4) + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) (sz 1536) - (sz 3168) (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 176cc978..4f57bcb1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// https://github.com/hacspec/hax/issues/770 -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index 2c782f7a..8cab7c87 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem1024.Neon open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate_unpacked (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate_unpacked (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair_unpacked (sz 4) + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) (sz 1536) - (sz 3168) (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index ab4413e4..d71f032a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem1024.Neon open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -29,49 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// https://github.com/hacspec/hax/issues/770 -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index 92509e13..60a05dcc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem1024.Portable open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate_unpacked (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate_unpacked (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair_unpacked (sz 4) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) (sz 1536) - (sz 3168) (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index 8397ad5e..9ce6a597 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem1024.Portable open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -29,49 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// https://github.com/hacspec/hax/issues/770 -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index ae991e1a..c0629779 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -3,6 +3,22 @@ module Libcrux_ml_kem.Mlkem1024 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_private_key (sz 4) + (sz 3168) + (sz 1568) + private_key + ciphertext + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -39,18 +55,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index fd793d70..fa7a134d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -62,6 +62,18 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -110,10 +122,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) - -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index 84c164f5..d84c1589 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem512.Avx2 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -29,43 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate_unpacked (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate_unpacked (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair_unpacked (sz 2) + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) (sz 768) - (sz 1632) (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index 222fdaf4..79530147 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem512.Avx2 open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -29,45 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 103a0efc..58b2f0dc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem512.Neon open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -29,43 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate_unpacked (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate_unpacked (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair_unpacked (sz 2) + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) (sz 768) - (sz 1632) (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 0bb4a418..3d846ac5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem512.Neon open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index d71d1827..97dccb93 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem512.Portable open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -29,44 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate_unpacked (sz 2) (sz 768) (sz 800) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate_unpacked (sz 2) (sz 1632) (sz 768) - (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) - (sz 128) (sz 800) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair_unpacked (sz 2) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) (sz 768) - (sz 1632) (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index f238d623..eee7fb43 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem512.Portable open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index 3e97c456..db5293cf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -3,6 +3,22 @@ module Libcrux_ml_kem.Mlkem512 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_private_key (sz 2) + (sz 1632) + (sz 768) + private_key + ciphertext + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -39,16 +55,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - else - Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index ef6a7c30..40a174dc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -37,6 +37,18 @@ let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -85,10 +97,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem512_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) - -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index aa6931d6..3ec064b3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem768.Avx2 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate_unpacked (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate_unpacked (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair_unpacked (sz 3) + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index dbf41664..0b285526 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem768.Avx2 open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -29,45 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index 2846f5a8..4608a392 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem768.Neon open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate_unpacked (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate_unpacked (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair_unpacked (sz 3) + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index d9968514..1b4e3414 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem768.Neon open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index 2f77deb3..d98e4483 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Mlkem768.Portable open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -29,46 +39,7 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = randomness let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - -let encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate_unpacked (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate_unpacked (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair_unpacked (sz 3) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness + public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index 0edff9a4..c14954e5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -3,6 +3,13 @@ module Libcrux_ml_kem.Mlkem768.Portable open Core open FStar.Mul +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -29,47 +36,6 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) (fun _ -> Prims.l_True) /// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. +/// Returns `true` if valid, and `false` otherwise. val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate_unpacked - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate_unpacked - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form -val generate_key_pair_unpacked (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 3fa15328..235881a7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -3,6 +3,22 @@ module Libcrux_ml_kem.Mlkem768 open Core open FStar.Mul +let validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_private_key (sz 3) + (sz 2400) + (sz 1088) + private_key + ciphertext + +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -39,18 +55,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = in let _:Prims.unit = admit () (* Panic freedom *) in result - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - if - Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value - then - Core.Option.Option_Some public_key - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - else - Core.Option.Option_None - <: - Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index 9e2339b6..34bfea33 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -62,6 +62,18 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ +/// Validate a private key. +/// Returns `true` if valid, and `false` otherwise. +val validate_private_key + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -110,10 +122,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) Spec.MLKEM.Instances.mlkem768_generate_keypair randomness in valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) - -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index 702b82a4..da6a5be1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -378,7 +378,7 @@ let ntt_binomially_sampled_ring_element let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_1__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -437,7 +437,7 @@ let ntt_vector_u let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_1__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 002d025e..14065e04 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -14,7 +14,7 @@ let get_zeta (i: usize) = let _:Prims.unit = admit () (* Panic freedom *) in result -let impl_1__ZERO +let impl_2__ZERO (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -34,7 +34,7 @@ let impl_1__ZERO <: t_PolynomialRingElement v_Vector -let impl_1__add_error_reduce +let impl_2__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -85,7 +85,7 @@ let impl_1__add_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__add_message_error_reduce +let impl_2__add_message_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -142,7 +142,7 @@ let impl_1__add_message_error_reduce in result -let impl_1__add_standard_error_reduce +let impl_2__add_standard_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -191,7 +191,7 @@ let impl_1__add_standard_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__add_to_ring_element +let impl_2__add_to_ring_element (#v_Vector: Type0) (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -232,14 +232,14 @@ let impl_1__add_to_ring_element let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__from_i16_array +let impl_2__from_i16_array (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (a: t_Slice i16) = - let result:t_PolynomialRingElement v_Vector = impl_1__ZERO #v_Vector () in + let result:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -277,7 +277,7 @@ let impl_1__from_i16_array in result -let impl_1__ntt_multiply +let impl_2__ntt_multiply (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -285,7 +285,7 @@ let impl_1__ntt_multiply (self rhs: t_PolynomialRingElement v_Vector) = let _:Prims.unit = admit () in - let out:t_PolynomialRingElement v_Vector = impl_1__ZERO #v_Vector () in + let out:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in let out:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -321,7 +321,7 @@ let impl_1__ntt_multiply in out -let impl_1__poly_barrett_reduce +let impl_2__poly_barrett_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: @@ -360,7 +360,7 @@ let impl_1__poly_barrett_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_1__subtract_reduce +let impl_2__subtract_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index bca911eb..ca8ac5ed 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -60,25 +60,25 @@ let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) -val impl_1__ZERO: +val impl_2__ZERO: #v_Vector: Type0 -> {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> Prims.unit -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__add_error_reduce +val impl_2__add_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__add_message_error_reduce +val impl_2__add_message_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self message result: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__add_standard_error_reduce +val impl_2__add_standard_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) @@ -86,14 +86,14 @@ val impl_1__add_standard_error_reduce /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise /// sum of their constituent coefficients. -val impl_1__add_to_ring_element +val impl_2__add_to_ring_element (#v_Vector: Type0) (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__from_i16_array +val impl_2__from_i16_array (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: t_Slice i16) @@ -122,19 +122,19 @@ val impl_1__from_i16_array /// this function are in the Montgomery domain. /// The NIST FIPS 203 standard can be found at /// . -val impl_1__ntt_multiply +val impl_2__ntt_multiply (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__poly_barrett_reduce +val impl_2__poly_barrett_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_1__subtract_reduce +val impl_2__subtract_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self b: t_PolynomialRingElement v_Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 4436feb6..0ed1d6eb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -222,7 +222,7 @@ let sample_from_binomial_distribution_2_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_1__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) #pop-options @@ -303,7 +303,7 @@ let sample_from_binomial_distribution_3_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_1__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) #pop-options @@ -412,7 +412,7 @@ let sample_from_xof out (fun s -> let s:t_Array i16 (sz 272) = s in - Libcrux_ml_kem.Polynomial.impl_1__from_i16_array #v_Vector + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } <: Core.Ops.Range.t_Range usize ] diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index c0b67d1b..3d92db16 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -9,7 +9,17 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -#push-options "--admit_smt_queries true" +let to_unsigned_field_modulus + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (a: v_Vector) + = + let _:Prims.unit = reveal_opaque (`%field_modulus_range) (field_modulus_range #v_Vector) in + let result:v_Vector = Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector a in + let _:Prims.unit = admit () (* Panic freedom *) in + result let compress_then_serialize_10_ (v_OUT_LEN: usize) @@ -19,23 +29,29 @@ let compress_then_serialize_10_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + let _:Prims.unit = assert_norm (pow2 10 == 1024) in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> + (fun serialized i -> let serialized:t_Array u8 v_OUT_LEN = serialized in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) serialized (fun serialized i -> let serialized:t_Array u8 v_OUT_LEN = serialized in let i:usize = i in + let _:Prims.unit = assert (20 * v i + 20 <= 320) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 10l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -68,9 +84,9 @@ let compress_then_serialize_10_ in serialized) in - serialized - -#pop-options + let result:t_Array u8 v_OUT_LEN = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result #push-options "--admit_smt_queries true" @@ -135,8 +151,6 @@ let compress_then_serialize_11_ #pop-options -#push-options "--admit_smt_queries true" - let compress_then_serialize_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -145,23 +159,29 @@ let compress_then_serialize_4_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let v__serialized_len:usize = Core.Slice.impl__len #u8 serialized in + let _:Prims.unit = assert_norm (pow2 4 == 16) in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT (fun serialized i -> let serialized:t_Slice u8 = serialized in let i:usize = i in - (Core.Slice.impl__len #u8 serialized <: usize) =. v__serialized_len <: bool) + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> + (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) serialized (fun serialized i -> let serialized:t_Slice u8 = serialized in let i:usize = i in + let _:Prims.unit = assert (8 * v i + 8 <= 128) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 4l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -194,11 +214,11 @@ let compress_then_serialize_4_ in serialized) in - let hax_temp_output:Prims.unit = () <: Prims.unit in + let result:Prims.unit = () <: Prims.unit in + let _:Prims.unit = admit () (* Panic freedom *) in + let hax_temp_output:Prims.unit = result in serialized -#pop-options - #push-options "--admit_smt_queries true" let compress_then_serialize_5_ @@ -209,14 +229,13 @@ let compress_then_serialize_5_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let v__serialized_len:usize = Core.Slice.impl__len #u8 serialized in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i:usize = i in - (Core.Slice.impl__len #u8 serialized <: usize) =. v__serialized_len <: bool) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Slice u8 = serialized in @@ -263,8 +282,6 @@ let compress_then_serialize_5_ #pop-options -#push-options "--admit_smt_queries true" - let compress_then_serialize_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -276,16 +293,21 @@ let compress_then_serialize_message let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun serialized temp_1_ -> + (fun serialized i -> let serialized:t_Array u8 (sz 32) = serialized in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i < 16 ==> coefficients_field_modulus_range re) serialized (fun serialized i -> let serialized:t_Array u8 (sz 32) = serialized in let i:usize = i in + let _:Prims.unit = assert (2 * v i + 2 <= 32) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let coefficient_compressed:v_Vector = @@ -321,9 +343,9 @@ let compress_then_serialize_message in serialized) in - serialized - -#pop-options + let result:t_Array u8 (sz 32) = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result let compress_then_serialize_ring_element_u (v_COMPRESSION_FACTOR v_OUT_LEN: usize) @@ -335,7 +357,8 @@ let compress_then_serialize_ring_element_u = let _:Prims.unit = assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) + (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) in match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re @@ -357,7 +380,8 @@ let compress_then_serialize_ring_element_v = let _:Prims.unit = assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) + (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) in let out, hax_temp_output:(t_Slice u8 & Prims.unit) = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with @@ -385,7 +409,7 @@ let deserialize_then_decompress_10_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let v__coefficients_length:usize = Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) @@ -439,7 +463,7 @@ let deserialize_then_decompress_11_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) @@ -490,7 +514,7 @@ let deserialize_then_decompress_4_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) @@ -541,7 +565,7 @@ let deserialize_then_decompress_5_ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) @@ -593,8 +617,6 @@ let deserialize_then_decompress_5_ in re -#push-options "--admit_smt_queries true" - let deserialize_then_decompress_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -603,7 +625,7 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) = let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -645,9 +667,9 @@ let deserialize_then_decompress_message in re) in - re - -#pop-options + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result let deserialize_then_decompress_ring_element_u (v_COMPRESSION_FACTOR: usize) @@ -691,8 +713,6 @@ let deserialize_then_decompress_ring_element_v <: Rust_primitives.Hax.t_Never) -#push-options "--admit_smt_queries true" - let deserialize_to_reduced_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -702,7 +722,7 @@ let deserialize_to_reduced_ring_element = let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -739,9 +759,9 @@ let deserialize_to_reduced_ring_element in re) in - re - -#pop-options + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result let deserialize_ring_elements_reduced (v_K: usize) @@ -750,16 +770,8 @@ let deserialize_ring_elements_reduced i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT public_key @@ -785,6 +797,29 @@ let deserialize_ring_elements_reduced <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in + let hax_temp_output:Prims.unit = () <: Prims.unit in + deserialized_pk + +let deserialize_ring_elements_reduced_out + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: t_Slice u8) + = + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk + in deserialized_pk let deserialize_to_uncompressed_ring_element @@ -796,7 +831,7 @@ let deserialize_to_uncompressed_ring_element = let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_1__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -829,8 +864,6 @@ let deserialize_to_uncompressed_ring_element in re -#push-options "--admit_smt_queries true" - let serialize_uncompressed_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -838,20 +871,26 @@ let serialize_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + let _:Prims.unit = assert_norm (pow2 12 == 4096) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> + (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in - let _:usize = temp_1_ in - true) + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) serialized (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in let i:usize = i in + let _:Prims.unit = assert (24 * v i + 24 <= 384) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + to_unsigned_field_modulus #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let bytes:t_Array u8 (sz 24) = @@ -882,6 +921,6 @@ let serialize_uncompressed_ring_element in serialized) in - serialized - -#pop-options + let result:t_Array u8 (sz 384) = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 4f60485f..2d1d6418 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -9,19 +9,50 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +[@@ "opaque_to_smt"] +let field_modulus_range (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a: v_Vector) = + let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /\ + v (Seq.index coef i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + +[@@ "opaque_to_smt"] +let coefficients_field_modulus_range (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i) + +val to_unsigned_field_modulus + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a: v_Vector) + : Prims.Pure v_Vector + (requires field_modulus_range a) + (ensures + fun result -> + let result:v_Vector = result in + forall (i: nat). + i < 16 ==> + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < + v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + val compress_then_serialize_10_ (v_OUT_LEN: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) (requires v_OUT_LEN =. sz 320) (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) val compress_then_serialize_11_ (v_OUT_LEN: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) (requires v_OUT_LEN =. sz 352) (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_4_ (#v_Vector: Type0) @@ -29,8 +60,11 @@ val compress_then_serialize_4_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) - (fun _ -> Prims.l_True) + (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) + (ensures + fun serialized_future -> + let serialized_future:t_Slice u8 = serialized_future in + Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) val compress_then_serialize_5_ (#v_Vector: Type0) @@ -39,13 +73,18 @@ val compress_then_serialize_5_ (serialized: t_Slice u8) : Prims.Pure (t_Slice u8) (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) - (fun _ -> Prims.l_True) + (ensures + fun serialized_future -> + let serialized_future:t_Slice u8 = serialized_future in + Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) val compress_then_serialize_message (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) + (requires coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) val compress_then_serialize_ring_element_u (v_COMPRESSION_FACTOR v_OUT_LEN: usize) @@ -54,8 +93,8 @@ val compress_then_serialize_ring_element_u (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (t_Array u8 v_OUT_LEN) (requires - (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && - v_OUT_LEN =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) (fun _ -> Prims.l_True) val compress_then_serialize_ring_element_v @@ -66,9 +105,9 @@ val compress_then_serialize_ring_element_v (out: t_Slice u8) : Prims.Pure (t_Slice u8) (requires - (v_COMPRESSION_FACTOR =. sz 4 || v_COMPRESSION_FACTOR =. sz 5) && - v_OUT_LEN =. (sz 32 *! v_COMPRESSION_FACTOR <: usize) && - (Core.Slice.impl__len #u8 out <: usize) =. v_OUT_LEN) + (v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ Seq.length out == v v_OUT_LEN /\ + coefficients_field_modulus_range re) (ensures fun out_future -> let out_future:t_Slice u8 = out_future in @@ -148,10 +187,23 @@ val deserialize_to_reduced_ring_element Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) (fun _ -> Prims.l_True) +/// See [deserialize_ring_elements_reduced_out]. +val deserialize_ring_elements_reduced + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ + Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + (fun _ -> Prims.l_True) + /// This function deserializes ring elements and reduces the result by the field /// modulus. /// This function MUST NOT be used on secret inputs. -val deserialize_ring_elements_reduced +val deserialize_ring_elements_reduced_out (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -176,4 +228,6 @@ val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 384)) + (requires coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 8a875c82..75ff693e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -3,25 +3,25 @@ module Libcrux_ml_kem.Types open Core open FStar.Mul -let impl_5__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_11__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_17__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_5__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value +let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value -let impl_11__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value +let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value -let impl_17__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value +let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value -let impl_18__from +let impl_21__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_18__into_parts +let impl_21__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = @@ -29,7 +29,7 @@ let impl_18__into_parts <: (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -let impl_18__new +let impl_21__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -51,22 +51,22 @@ let impl_18__new <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_18__pk +let impl_21__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_17__as_slice v_PUBLIC_KEY_SIZE self.f_pk + = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk -let impl_18__private_key +let impl_21__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_sk -let impl_18__public_key +let impl_21__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_pk -let impl_18__sk +let impl_21__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_11__as_slice v_PRIVATE_KEY_SIZE self.f_sk + = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index bdc6f41f..4435312b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -4,22 +4,33 @@ open Core open FStar.Mul /// The number of bytes -val impl_5__len: v_SIZE: usize -> Prims.unit +val impl_6__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_11__len: v_SIZE: usize -> Prims.unit +val impl_13__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_17__len: v_SIZE: usize -> Prims.unit +val impl_20__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); @@ -27,7 +38,7 @@ let impl (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Sl } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -35,7 +46,7 @@ let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -48,7 +59,7 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = +let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = { f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true); f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -56,7 +67,7 @@ let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip } /// A reference to the raw byte slice. -val impl_5__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) +val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (ensures @@ -68,7 +79,18 @@ val impl_5__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_6 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); @@ -76,7 +98,7 @@ let impl_6 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -84,7 +106,7 @@ let impl_7 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -97,7 +119,7 @@ let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = +let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -105,7 +127,7 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPri } /// A reference to the raw byte slice. -val impl_11__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) +val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (ensures @@ -117,7 +139,18 @@ val impl_11__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_12 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); @@ -125,7 +158,7 @@ let impl_12 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_13 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -133,7 +166,7 @@ let impl_13 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -146,7 +179,7 @@ let impl_14 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = +let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -154,7 +187,7 @@ let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu } /// A reference to the raw byte slice. -val impl_17__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) +val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (ensures @@ -163,7 +196,7 @@ val impl_17__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) result == self.f_value) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -194,7 +227,7 @@ let impl_4 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) ( } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -225,7 +258,7 @@ let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_16 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -262,7 +295,7 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { } /// Create a new [`MlKemKeyPair`] from the secret and public key. -val impl_18__from +val impl_21__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -274,7 +307,7 @@ val impl_18__from result.f_sk == sk /\ result.f_pk == pk) /// Separate this key into the public and private key. -val impl_18__into_parts +val impl_21__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -282,7 +315,7 @@ val impl_18__into_parts (fun _ -> Prims.l_True) /// Creates a new [`MlKemKeyPair`]. -val impl_18__new +val impl_21__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -291,25 +324,25 @@ val impl_18__new (fun _ -> Prims.l_True) /// Get a reference to the raw public key bytes. -val impl_18__pk +val impl_21__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPrivateKey`]. -val impl_18__private_key +val impl_21__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPublicKey`]. -val impl_18__public_key +val impl_21__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the raw private key bytes. -val impl_18__sk +val impl_21__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 51a1a9da..5ab43253 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -11,7 +11,6 @@ let _ = () [@@"opaque_to_smt"] - let deserialize_1___deserialize_1_i16s (a b: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a @@ -28,7 +27,6 @@ let deserialize_1___deserialize_1_i16s (a b: i16) = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l coefficients_in_msb [@@"opaque_to_smt"] - let deserialize_1___deserialize_1_u8s (a b: u8) = deserialize_1___deserialize_1_i16s (cast (a <: u8) <: i16) (cast (b <: u8) <: i16) @@ -38,7 +36,6 @@ let deserialize_1_ (bytes: t_Slice u8) = deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8) [@@"opaque_to_smt"] - let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b7 b7 b6 b6 b5 b5 b4 b4 b3 b3 b2 b2 b1 b1 b0 b0 @@ -62,7 +59,6 @@ let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = Libcrux_intrinsics.Avx2_extract.t_Vec256) [@@"opaque_to_smt"] - let deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) = deserialize_4___deserialize_4_i16s (cast (b0 <: u8) <: i16) (cast (b1 <: u8) <: i16) @@ -169,6 +165,48 @@ let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V #push-options "--ext context_pruning --split_queries always" +let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_concat_pairs_n 12uy vector + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 8l 0l 8l 0l 8l 0l 8l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 8l adjacent_4_combined + in + let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y + 5y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y 5y 4y 3y 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined + in + let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined + in + let _:Prims.unit = + introduce forall (i: nat{i < 96}) . lower_8_ i = vector ((i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 + (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); + introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 + (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) + in + lower_8_, upper_8_ + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + +#pop-options + +#push-options "--ext context_pruning --split_queries always" + let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) = @@ -224,37 +262,13 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options +#push-options "--ext context_pruning --split_queries always" + let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < + let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & + Libcrux_intrinsics.Avx2_extract.t_Vec128) = + temp_0_ + in + forall (i: nat{i < 192}). + vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96))) + val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 20)) (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) @@ -142,7 +155,12 @@ val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 24)) + (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) + (ensures + fun r -> + let r:t_Array u8 (sz 24) = r in + forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12)) val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index 0596f548..3217ddbc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -10,6 +10,7 @@ let _ = () noeq + type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements @@ -203,11 +204,20 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_compress_1_pre = (fun (vector: t_SIMD256Vector) -> true); - f_compress_1_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_compress_1_pre + = + (fun (vector: t_SIMD256Vector) -> + forall (i: nat). + i < 16 ==> + v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329); + f_compress_1_post + = + (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> + forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); f_compress_1_ = (fun (vector: t_SIMD256Vector) -> + let _:Prims.unit = admit () in { f_elements = @@ -218,14 +228,23 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> + v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329 + )); f_compress_post = - (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) ==> + (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) + ); f_compress = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> + let _:Prims.unit = admit () in { f_elements = @@ -442,7 +461,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_1_ = (fun (vector: t_SIMD256Vector) -> - admit (); Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements); f_deserialize_1_pre = @@ -454,7 +472,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_1_ = (fun (bytes: t_Slice u8) -> - admit (); { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst index 1d8993c9..8bda725b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -22,78 +22,146 @@ let compress_message_coefficient (fe: u16) = let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 +#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" + let compress (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let _:Prims.unit = + assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS); + assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS) + in + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> + (cast (a.f_elements.[ sz i ]) <: u16) <. + (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + in + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun v temp_1_ -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in - let _:usize = temp_1_ in - true) - v - (fun v i -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + let i:usize = i in + (v i < 16 ==> + (forall (j: nat). + (j >= v i /\ j < 16) ==> + v (cast (a.f_elements.[ sz j ]) <: u16) < + v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ + (forall (j: nat). + j < v i ==> + v (a.f_elements.[ sz j ] <: i16) >= 0 /\ + v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) + a + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - { - v with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) - (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - u16) - <: - i16) + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + a with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + u16) + <: + i16) + } <: - t_Array i16 (sz 16) - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let _:Prims.unit = + assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ + v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) + in + a) in - v + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> + v (a.f_elements.[ sz i ] <: i16) >= 0 /\ + v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) + in + a -let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +#pop-options + +#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" + +let compress_message_coefficient_range_helper (fe: u16) : Lemma + (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ + v (cast (compress_message_coefficient fe) <: i16) < 2) = + assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ + v (cast (compress_message_coefficient fe) <: i16) < 2) + +let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> + (cast (a.f_elements.[ sz i ]) <: u16) <. + (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + in + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun v temp_1_ -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in - let _:usize = temp_1_ in - true) - v - (fun v i -> - let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + let i:usize = i in + (v i < 16 ==> + (forall (j: nat). + (j >= v i /\ j < 16) ==> + v (cast (a.f_elements.[ sz j ]) <: u16) < + v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ + (forall (j: nat). + j < v i ==> + v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) + a + (fun a i -> + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - { - v with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (cast (compress_message_coefficient (cast (v - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - <: - u16) - <: - u8) - <: - i16) + let _:Prims.unit = + compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) + in + let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + a with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (compress_message_coefficient (cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) + <: + u8) + <: + i16) + } <: - t_Array i16 (sz 16) - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let _:Prims.unit = + assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) + in + a) in - v + let _:Prims.unit = + assert (forall (i: nat). + i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) + in + a + +#pop-options let decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti index 4a89ca30..93833097 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -47,15 +47,32 @@ val compress_message_coefficient (fe: u16) val compress (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) + (requires + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329)) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + forall (i: nat). + i < 16 ==> + v (result.f_elements.[ sz i ] <: i16) >= 0 /\ + v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) -val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) + (requires + forall (i: nat). + i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + forall (i: nat). + i < 16 ==> + v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index b676b472..37ca063e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -418,6 +418,9 @@ let deserialize_1_lemma inputs = #pop-options +let deserialize_1_bounded_lemma inputs = + admit() + let deserialize_10_ (bytes: t_Slice u8) = let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } @@ -469,6 +472,9 @@ let deserialize_10_lemma inputs = #pop-options +let deserialize_10_bounded_lemma inputs = + admit() + let deserialize_12_ (bytes: t_Slice u8) = let v0_1_:(i16 & i16) = deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } @@ -562,6 +568,9 @@ let deserialize_12_lemma inputs = #pop-options +let deserialize_12_bounded_lemma inputs = + admit() + let deserialize_4_ (bytes: t_Slice u8) = let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } @@ -613,6 +622,9 @@ let deserialize_4_lemma inputs = #pop-options +let deserialize_4_bounded_lemma inputs = + admit() + let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let result0:u8 = (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti index 856f8399..97118a4c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fsti @@ -77,6 +77,9 @@ val deserialize_1_ (v: t_Slice u8) val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) +val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1) + val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 20) @@ -85,6 +88,9 @@ val deserialize_10_ (bytes: t_Slice u8) val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) +val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) + val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 24) @@ -93,6 +99,9 @@ val deserialize_12_ (bytes: t_Slice u8) val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) +val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) + val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires Core.Slice.impl__len #u8 bytes =. sz 8) @@ -101,6 +110,9 @@ val deserialize_4_ (bytes: t_Slice u8) val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) +val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4) + val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 6800ca94..2c469011 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -224,41 +224,49 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r); f_compress_1_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + forall (i: nat). + i < 16 ==> v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329); f_compress_1_post = (fun - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - true); + forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); f_compress_1_ = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ a); f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> + v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329)); f_compress_post = (fun (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - true); + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) ==> + (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) + ); f_compress = (fun (v_COEFFICIENT_BITS: i32) - (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v); + Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS a); f_decompress_ciphertext_coefficient_pre = (fun @@ -499,6 +507,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a); f_serialize_4_pre = @@ -529,6 +538,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a); f_serialize_5_pre = @@ -577,6 +587,9 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in + let _:Prims.unit = + Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a + in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a); f_serialize_11_pre = @@ -625,6 +638,9 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = = (fun (a: t_Slice u8) -> let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in + let _:Prims.unit = + Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a + in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a); f_rej_sample_pre = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index a4328b6a..31c67d6b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -3,7 +3,7 @@ module Libcrux_ml_kem.Vector.Traits open Core open FStar.Mul -#push-options "--z3rlimit 50" +#push-options "--z3rlimit 100" let decompress_1_ (#v_T: Type0) @@ -14,20 +14,25 @@ let decompress_1_ let _:Prims.unit = assert (forall i. Seq.index (i1._super_8706949974463268012.f_repr z) i == 0s) in - let s:v_T = f_sub #v_T #FStar.Tactics.Typeclasses.solve z vec in let _:Prims.unit = assert (forall i. - Seq.index (i1._super_8706949974463268012.f_repr s) i == 0s \/ - Seq.index (i1._super_8706949974463268012.f_repr s) i == (-1s)) + let x = Seq.index (i1._super_8706949974463268012.f_repr vec) i in + ((0 - v x) == 0 \/ (0 - v x) == - 1)) in - let _:Prims.unit = assert (i1.f_bitwise_and_with_constant_pre s 1665s) in - let res:v_T = f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s in + let _:Prims.unit = + assert (forall i. + i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (0 - v (Seq.index (i1._super_8706949974463268012.f_repr vec) i))) + in + let s:v_T = f_sub #v_T #FStar.Tactics.Typeclasses.solve z vec in let _:Prims.unit = assert (forall i. Seq.index (i1._super_8706949974463268012.f_repr s) i == 0s \/ - Seq.index (i1._super_8706949974463268012.f_repr s) i == 1665s) + Seq.index (i1._super_8706949974463268012.f_repr s) i == (-1s)) in - res + let _:Prims.unit = assert (i1.f_bitwise_and_with_constant_pre s 1665s) in + f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s #pop-options @@ -48,6 +53,8 @@ let to_standard_domain v v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS +#push-options "--admit_smt_queries true" + let to_unsigned_representative (#v_T: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) @@ -58,3 +65,5 @@ let to_unsigned_representative f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS in f_add #v_T #FStar.Tactics.Typeclasses.solve a fm + +#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index 9e1d121d..e2a2bbbe 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -137,17 +137,32 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure v_Self (f_montgomery_multiply_by_constant_pre x0 x1) (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); - f_compress_1_pre:v: v_Self -> pred: Type0{true ==> pred}; - f_compress_1_post:v_Self -> v_Self -> Type0; + f_compress_1_pre:a: v_Self + -> pred: + Type0 + { (forall (i: nat). + i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> + pred }; + f_compress_1_post:a: v_Self -> result: v_Self + -> pred: Type0{pred ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) 1)}; f_compress_1_:x0: v_Self -> Prims.Pure v_Self (f_compress_1_pre x0) (fun result -> f_compress_1_post x0 result); - f_compress_pre:v_COEFFICIENT_BITS: i32 -> v: v_Self + f_compress_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self -> pred: Type0 - { v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l ==> + { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) /\ + (forall (i: nat). + i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> pred }; - f_compress_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; + f_compress_post:v_COEFFICIENT_BITS: i32 -> a: v_Self -> result: v_Self + -> pred: + Type0 + { pred ==> + (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ + v v_COEFFICIENT_BITS == 11) ==> + (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) (v v_COEFFICIENT_BITS)) + }; f_compress:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_compress_pre v_COEFFICIENT_BITS x0) @@ -383,16 +398,6 @@ class t_Operations (v_Self: Type0) = { (fun result -> f_rej_sample_post x0 x1 result) } -/// Internal vectors. -/// Used in the unpacked API. -class t_VectorType (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_14104493667227926613:t_Operations v_Self -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (#v_T: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) - : t_VectorType v_T = { _super_14104493667227926613 = FStar.Tactics.Typeclasses.solve } - let v_BARRETT_SHIFT: i32 = 26l let v_BARRETT_R: i32 = 1l < Prims.l_True) + (ensures + fun result -> + let result:v_T = result in + forall i. + (let x = Seq.index (i1._super_8706949974463268012.f_repr a) i in + let y = Seq.index (i1._super_8706949974463268012.f_repr result) i in + (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329))))