From df46ee47edd7e2fcba138d034a32fcbe29ca50a0 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 18:06:08 -0500
Subject: [PATCH 01/24] Break out matrix multiplication code in ntt.rs.

---
 .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst  |   8 +-
 .../extraction/Libcrux.Kem.Kyber.Matrix.fst   | 470 ++++++++++++++++++
 ...ibcrux.Kem.Kyber.Matrix_multiplication.fst | 470 ++++++++++++++++++
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 466 -----------------
 src/kem/kyber.rs                              |   1 +
 src/kem/kyber/ind_cpa.rs                      |   1 +
 src/kem/kyber/matrix.rs                       | 112 +++++
 src/kem/kyber/ntt.rs                          | 113 +----
 8 files changed, 1061 insertions(+), 580 deletions(-)
 create mode 100644 proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
 create mode 100644 proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst
 create mode 100644 src/kem/kyber/matrix.rs

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
index 564fd615d..2ad51cac6 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
@@ -442,7 +442,7 @@ let decrypt
           t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
   in
   let message:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Ntt.compute_message v_K v secret_as_ntt u_as_ntt
+    Libcrux.Kem.Kyber.Matrix.compute_message v_K v secret_as_ntt u_as_ntt
   in
   Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message
 
@@ -567,13 +567,13 @@ let encrypt
       (Rust_primitives.unsize prf_output <: t_Slice u8)
   in
   let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Libcrux.Kem.Kyber.Ntt.compute_vector_u v_K v_A_transpose r_as_ntt error_1_
+    Libcrux.Kem.Kyber.Matrix.compute_vector_u v_K v_A_transpose r_as_ntt error_1_
   in
   let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
     Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_message message
   in
   let v:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Ntt.compute_ring_element_v v_K
+    Libcrux.Kem.Kyber.Matrix.compute_ring_element_v v_K
       tt_as_ntt
       r_as_ntt
       error_2_
@@ -747,7 +747,7 @@ let generate_keypair
             t_Array u8 (sz 33)))
   in
   let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Libcrux.Kem.Kyber.Ntt.compute_As_plus_e v_K v_A_transpose secret_as_ntt error_as_ntt
+    Libcrux.Kem.Kyber.Matrix.compute_As_plus_e v_K v_A_transpose secret_as_ntt error_as_ntt
   in
   let public_key_serialized:Libcrux.Kem.Kyber.Conversions.t_UpdatableArray v_PUBLIC_KEY_SIZE =
     Libcrux.Kem.Kyber.Conversions.impl__new v_PUBLIC_KEY_SIZE
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
new file mode 100644
index 000000000..2a9f79b52
--- /dev/null
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
@@ -0,0 +1,470 @@
+module Libcrux.Kem.Kyber.Matrix
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+open Core
+open FStar.Mul
+
+let compute_As_plus_e
+      (v_K: usize)
+      (matrix_A:
+          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
+      (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+      v_K
+  in
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+              (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A
+                    <:
+                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                <:
+                Core.Slice.Iter.t_Iter
+                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+            <:
+            Core.Iter.Adapters.Enumerate.t_Enumerate
+            (Core.Slice.Iter.t_Iter
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+        <:
+        Core.Iter.Adapters.Enumerate.t_Enumerate
+        (Core.Slice.Iter.t_Iter
+          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+      result
+      (fun result temp_1_ ->
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            result
+          in
+          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+          =
+            temp_1_
+          in
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+                      (Core.Slice.impl__iter (Rust_primitives.unsize row
+                            <:
+                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        <:
+                        Core.Slice.Iter.t_Iter
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                    <:
+                    Core.Iter.Adapters.Enumerate.t_Enumerate
+                    (Core.Slice.Iter.t_Iter
+                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                <:
+                Core.Iter.Adapters.Enumerate.t_Enumerate
+                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+              result
+              (fun result temp_1_ ->
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    result
+                  in
+                  let j, matrix_element:(usize &
+                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
+                    temp_1_
+                  in
+                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                    Libcrux.Kem.Kyber.Ntt.ntt_multiply matrix_element
+                      (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    Rust_primitives.Hax.update_at result
+                      i
+                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
+                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                          )
+                          product
+                        <:
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  result)
+          in
+          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end
+                    =
+                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
+                            <:
+                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        <:
+                        t_Slice i32)
+                    <:
+                    usize
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize)
+              <:
+              Core.Ops.Range.t_Range usize)
+            result
+            (fun result j ->
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  result
+                in
+                let j:usize = j in
+                let coefficient_normal_form:i32 =
+                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
+                          <:
+                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                        <:
+                        i32) *!
+                      1353l
+                      <:
+                      i32)
+                in
+                Rust_primitives.Hax.update_at result
+                  i
+                  ({
+                      (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at (result.[ i ]
+                          <:
+                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
+                              ((error_as_ntt.[ i ]
+                                  <:
+                                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                                <:
+                                i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                      <:
+                      t_Array i32 (sz 256)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)))
+  in
+  result
+
+let compute_message
+      (v_K: usize)
+      (v: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (secret_as_ntt u_as_ntt:
+          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = v_K
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Ntt.ntt_multiply (secret_as_ntt.[ i ]
+                <:
+                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+              (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
+          in
+          result)
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end
+              =
+              Core.Slice.impl__len (Rust_primitives.unsize result
+                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                  <:
+                  t_Slice i32)
+              <:
+              usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let coefficient_normal_form:i32 =
+            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
+                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                  <:
+                  i32) *!
+                1441l
+                <:
+                i32)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            {
+              result with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                i
+                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((v
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                        <:
+                        i32) -!
+                      coefficient_normal_form
+                      <:
+                      i32)
+                  <:
+                  i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+          in
+          result)
+  in
+  result
+
+let compute_ring_element_v
+      (v_K: usize)
+      (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+      (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = v_K
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Ntt.ntt_multiply (tt_as_ntt.[ i ]
+                <:
+                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+              (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
+          in
+          result)
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end
+              =
+              Core.Slice.impl__len (Rust_primitives.unsize result
+                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                  <:
+                  t_Slice i32)
+              <:
+              usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let coefficient_normal_form:i32 =
+            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
+                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                  <:
+                  i32) *!
+                1441l
+                <:
+                i32)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            {
+              result with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                i
+                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +!
+                        (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
+                        <:
+                        i32) +!
+                      (message.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
+                      <:
+                      i32)
+                  <:
+                  i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+          in
+          result)
+  in
+  result
+
+let compute_vector_u
+      (v_K: usize)
+      (a_as_ntt:
+          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
+      (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+      v_K
+  in
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+              (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt
+                    <:
+                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                <:
+                Core.Slice.Iter.t_Iter
+                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+            <:
+            Core.Iter.Adapters.Enumerate.t_Enumerate
+            (Core.Slice.Iter.t_Iter
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+        <:
+        Core.Iter.Adapters.Enumerate.t_Enumerate
+        (Core.Slice.Iter.t_Iter
+          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+      result
+      (fun result temp_1_ ->
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            result
+          in
+          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+          =
+            temp_1_
+          in
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+                      (Core.Slice.impl__iter (Rust_primitives.unsize row
+                            <:
+                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        <:
+                        Core.Slice.Iter.t_Iter
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                    <:
+                    Core.Iter.Adapters.Enumerate.t_Enumerate
+                    (Core.Slice.Iter.t_Iter
+                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                <:
+                Core.Iter.Adapters.Enumerate.t_Enumerate
+                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+              result
+              (fun result temp_1_ ->
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    result
+                  in
+                  let j, a_element:(usize &
+                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
+                    temp_1_
+                  in
+                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                    Libcrux.Kem.Kyber.Ntt.ntt_multiply a_element
+                      (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    Rust_primitives.Hax.update_at result
+                      i
+                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
+                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                          )
+                          product
+                        <:
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  result)
+          in
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            Rust_primitives.Hax.update_at result
+              i
+              (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K
+                  (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                <:
+                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          in
+          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end
+                    =
+                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
+                            <:
+                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        <:
+                        t_Slice i32)
+                    <:
+                    usize
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize)
+              <:
+              Core.Ops.Range.t_Range usize)
+            result
+            (fun result j ->
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  result
+                in
+                let j:usize = j in
+                let coefficient_normal_form:i32 =
+                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
+                          <:
+                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                        <:
+                        i32) *!
+                      1441l
+                      <:
+                      i32)
+                in
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  Rust_primitives.Hax.update_at result
+                    i
+                    ({
+                        (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
+                        Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        =
+                        Rust_primitives.Hax.update_at (result.[ i ]
+                            <:
+                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                          j
+                          (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
+                                ((error_1_.[ i ]
+                                    <:
+                                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                                  <:
+                                  i32)
+                                <:
+                                i32)
+                            <:
+                            i32)
+                        <:
+                        t_Array i32 (sz 256)
+                      }
+                      <:
+                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                in
+                result))
+  in
+  result
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst
new file mode 100644
index 000000000..947004ace
--- /dev/null
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst
@@ -0,0 +1,470 @@
+module Libcrux.Kem.Kyber.Matrix_multiplication
+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
+open Core
+open FStar.Mul
+
+let compute_As_plus_e
+      (v_K: usize)
+      (matrix_A:
+          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
+      (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+      v_K
+  in
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+              (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A
+                    <:
+                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                <:
+                Core.Slice.Iter.t_Iter
+                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+            <:
+            Core.Iter.Adapters.Enumerate.t_Enumerate
+            (Core.Slice.Iter.t_Iter
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+        <:
+        Core.Iter.Adapters.Enumerate.t_Enumerate
+        (Core.Slice.Iter.t_Iter
+          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+      result
+      (fun result temp_1_ ->
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            result
+          in
+          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+          =
+            temp_1_
+          in
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+                      (Core.Slice.impl__iter (Rust_primitives.unsize row
+                            <:
+                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        <:
+                        Core.Slice.Iter.t_Iter
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                    <:
+                    Core.Iter.Adapters.Enumerate.t_Enumerate
+                    (Core.Slice.Iter.t_Iter
+                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                <:
+                Core.Iter.Adapters.Enumerate.t_Enumerate
+                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+              result
+              (fun result temp_1_ ->
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    result
+                  in
+                  let j, matrix_element:(usize &
+                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
+                    temp_1_
+                  in
+                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                    Libcrux.Kem.Kyber.Ntt.ntt_multiply matrix_element
+                      (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    Rust_primitives.Hax.update_at result
+                      i
+                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
+                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                          )
+                          product
+                        <:
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  result)
+          in
+          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end
+                    =
+                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
+                            <:
+                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        <:
+                        t_Slice i32)
+                    <:
+                    usize
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize)
+              <:
+              Core.Ops.Range.t_Range usize)
+            result
+            (fun result j ->
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  result
+                in
+                let j:usize = j in
+                let coefficient_normal_form:i32 =
+                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
+                          <:
+                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                        <:
+                        i32) *!
+                      1353l
+                      <:
+                      i32)
+                in
+                Rust_primitives.Hax.update_at result
+                  i
+                  ({
+                      (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at (result.[ i ]
+                          <:
+                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
+                              ((error_as_ntt.[ i ]
+                                  <:
+                                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                                <:
+                                i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                      <:
+                      t_Array i32 (sz 256)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)))
+  in
+  result
+
+let compute_message
+      (v_K: usize)
+      (v: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (secret_as_ntt u_as_ntt:
+          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = v_K
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Ntt.ntt_multiply (secret_as_ntt.[ i ]
+                <:
+                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+              (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
+          in
+          result)
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end
+              =
+              Core.Slice.impl__len (Rust_primitives.unsize result
+                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                  <:
+                  t_Slice i32)
+              <:
+              usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let coefficient_normal_form:i32 =
+            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
+                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                  <:
+                  i32) *!
+                1441l
+                <:
+                i32)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            {
+              result with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                i
+                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((v
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                        <:
+                        i32) -!
+                      coefficient_normal_form
+                      <:
+                      i32)
+                  <:
+                  i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+          in
+          result)
+  in
+  result
+
+let compute_ring_element_v
+      (v_K: usize)
+      (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+      (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = v_K
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Ntt.ntt_multiply (tt_as_ntt.[ i ]
+                <:
+                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+              (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
+          in
+          result)
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
+  in
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end
+              =
+              Core.Slice.impl__len (Rust_primitives.unsize result
+                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                  <:
+                  t_Slice i32)
+              <:
+              usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      result
+      (fun result i ->
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let i:usize = i in
+          let coefficient_normal_form:i32 =
+            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
+                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                  <:
+                  i32) *!
+                1441l
+                <:
+                i32)
+          in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+            {
+              result with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                i
+                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +!
+                        (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
+                        <:
+                        i32) +!
+                      (message.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
+                      <:
+                      i32)
+                  <:
+                  i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+          in
+          result)
+  in
+  result
+
+let compute_vector_u
+      (v_K: usize)
+      (a_as_ntt:
+          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
+      (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+      v_K
+  in
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+              (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt
+                    <:
+                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                <:
+                Core.Slice.Iter.t_Iter
+                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+            <:
+            Core.Iter.Adapters.Enumerate.t_Enumerate
+            (Core.Slice.Iter.t_Iter
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+        <:
+        Core.Iter.Adapters.Enumerate.t_Enumerate
+        (Core.Slice.Iter.t_Iter
+          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+      result
+      (fun result temp_1_ ->
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            result
+          in
+          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+          =
+            temp_1_
+          in
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
+                      (Core.Slice.impl__iter (Rust_primitives.unsize row
+                            <:
+                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        <:
+                        Core.Slice.Iter.t_Iter
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                    <:
+                    Core.Iter.Adapters.Enumerate.t_Enumerate
+                    (Core.Slice.Iter.t_Iter
+                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                <:
+                Core.Iter.Adapters.Enumerate.t_Enumerate
+                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+              result
+              (fun result temp_1_ ->
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    result
+                  in
+                  let j, a_element:(usize &
+                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
+                    temp_1_
+                  in
+                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                    Libcrux.Kem.Kyber.Ntt.ntt_multiply a_element
+                      (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                    Rust_primitives.Hax.update_at result
+                      i
+                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
+                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                          )
+                          product
+                        <:
+                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  in
+                  result)
+          in
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+            Rust_primitives.Hax.update_at result
+              i
+              (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K
+                  (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                <:
+                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          in
+          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                    Core.Ops.Range.f_start = sz 0;
+                    Core.Ops.Range.f_end
+                    =
+                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
+                            <:
+                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        <:
+                        t_Slice i32)
+                    <:
+                    usize
+                  }
+                  <:
+                  Core.Ops.Range.t_Range usize)
+              <:
+              Core.Ops.Range.t_Range usize)
+            result
+            (fun result j ->
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  result
+                in
+                let j:usize = j in
+                let coefficient_normal_form:i32 =
+                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
+                          <:
+                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                        <:
+                        i32) *!
+                      1441l
+                      <:
+                      i32)
+                in
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  Rust_primitives.Hax.update_at result
+                    i
+                    ({
+                        (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
+                        Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        =
+                        Rust_primitives.Hax.update_at (result.[ i ]
+                            <:
+                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                          j
+                          (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
+                                ((error_1_.[ i ]
+                                    <:
+                                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                                  <:
+                                  i32)
+                                <:
+                                i32)
+                            <:
+                            i32)
+                        <:
+                        t_Array i32 (sz 256)
+                      }
+                      <:
+                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                in
+                result))
+  in
+  result
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index d4186eebe..19ca7c8d7 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -1191,472 +1191,6 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
   let _:Prims.unit = () <: Prims.unit in
   out
 
-let compute_As_plus_e
-      (v_K: usize)
-      (matrix_A:
-          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
-      (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
-  in
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-              (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A
-                    <:
-                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-                <:
-                Core.Slice.Iter.t_Iter
-                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-            <:
-            Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Slice.Iter.t_Iter
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-        <:
-        Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Slice.Iter.t_Iter
-          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-      result
-      (fun result temp_1_ ->
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            result
-          in
-          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-          =
-            temp_1_
-          in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-                      (Core.Slice.impl__iter (Rust_primitives.unsize row
-                            <:
-                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                        <:
-                        Core.Slice.Iter.t_Iter
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                    <:
-                    Core.Iter.Adapters.Enumerate.t_Enumerate
-                    (Core.Slice.Iter.t_Iter
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-                <:
-                Core.Iter.Adapters.Enumerate.t_Enumerate
-                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-              result
-              (fun result temp_1_ ->
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    result
-                  in
-                  let j, matrix_element:(usize &
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
-                    temp_1_
-                  in
-                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-                    ntt_multiply matrix_element
-                      (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    Rust_primitives.Hax.update_at result
-                      i
-                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
-                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                          )
-                          product
-                        <:
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  result)
-          in
-          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                    Core.Ops.Range.f_start = sz 0;
-                    Core.Ops.Range.f_end
-                    =
-                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        <:
-                        t_Slice i32)
-                    <:
-                    usize
-                  }
-                  <:
-                  Core.Ops.Range.t_Range usize)
-              <:
-              Core.Ops.Range.t_Range usize)
-            result
-            (fun result j ->
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                  result
-                in
-                let j:usize = j in
-                let coefficient_normal_form:i32 =
-                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                        <:
-                        i32) *!
-                      1353l
-                      <:
-                      i32)
-                in
-                Rust_primitives.Hax.update_at result
-                  i
-                  ({
-                      (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at (result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
-                              ((error_as_ntt.[ i ]
-                                  <:
-                                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                                <:
-                                i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                      <:
-                      t_Array i32 (sz 256)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)))
-  in
-  result
-
-let compute_message
-      (v_K: usize)
-      (v: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-      (secret_as_ntt u_as_ntt:
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = v_K
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            ntt_multiply (secret_as_ntt.[ i ]
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-              (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
-          in
-          result)
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    invert_ntt_montgomery v_K result
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Core.Slice.impl__len (Rust_primitives.unsize result
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                  <:
-                  t_Slice i32)
-              <:
-              usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let coefficient_normal_form:i32 =
-            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
-                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                  <:
-                  i32) *!
-                1441l
-                <:
-                i32)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            {
-              result with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                i
-                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((v
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                        <:
-                        i32) -!
-                      coefficient_normal_form
-                      <:
-                      i32)
-                  <:
-                  i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-          in
-          result)
-  in
-  result
-
-let compute_ring_element_v
-      (v_K: usize)
-      (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-      (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = v_K
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            ntt_multiply (tt_as_ntt.[ i ]
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-              (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
-          in
-          result)
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    invert_ntt_montgomery v_K result
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Core.Slice.impl__len (Rust_primitives.unsize result
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                  <:
-                  t_Slice i32)
-              <:
-              usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let coefficient_normal_form:i32 =
-            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
-                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                  <:
-                  i32) *!
-                1441l
-                <:
-                i32)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            {
-              result with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                i
-                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +!
-                        (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
-                        <:
-                        i32) +!
-                      (message.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
-                      <:
-                      i32)
-                  <:
-                  i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-          in
-          result)
-  in
-  result
-
-let compute_vector_u
-      (v_K: usize)
-      (a_as_ntt:
-          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
-      (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
-  in
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-              (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt
-                    <:
-                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-                <:
-                Core.Slice.Iter.t_Iter
-                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-            <:
-            Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Slice.Iter.t_Iter
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-        <:
-        Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Slice.Iter.t_Iter
-          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-      result
-      (fun result temp_1_ ->
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            result
-          in
-          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-          =
-            temp_1_
-          in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-                      (Core.Slice.impl__iter (Rust_primitives.unsize row
-                            <:
-                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                        <:
-                        Core.Slice.Iter.t_Iter
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                    <:
-                    Core.Iter.Adapters.Enumerate.t_Enumerate
-                    (Core.Slice.Iter.t_Iter
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-                <:
-                Core.Iter.Adapters.Enumerate.t_Enumerate
-                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-              result
-              (fun result temp_1_ ->
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    result
-                  in
-                  let j, a_element:(usize &
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
-                    temp_1_
-                  in
-                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-                    ntt_multiply a_element
-                      (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    Rust_primitives.Hax.update_at result
-                      i
-                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
-                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                          )
-                          product
-                        <:
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  result)
-          in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at result
-              i
-              (invert_ntt_montgomery v_K
-                  (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-          in
-          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                    Core.Ops.Range.f_start = sz 0;
-                    Core.Ops.Range.f_end
-                    =
-                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        <:
-                        t_Slice i32)
-                    <:
-                    usize
-                  }
-                  <:
-                  Core.Ops.Range.t_Range usize)
-              <:
-              Core.Ops.Range.t_Range usize)
-            result
-            (fun result j ->
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                  result
-                in
-                let j:usize = j in
-                let coefficient_normal_form:i32 =
-                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                        <:
-                        i32) *!
-                      1441l
-                      <:
-                      i32)
-                in
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                  Rust_primitives.Hax.update_at result
-                    i
-                    ({
-                        (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
-                        Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        =
-                        Rust_primitives.Hax.update_at (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                          j
-                          (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
-                                ((error_1_.[ i ]
-                                    <:
-                                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                                  <:
-                                  i32)
-                                <:
-                                i32)
-                            <:
-                            i32)
-                        <:
-                        t_Array i32 (sz 256)
-                      }
-                      <:
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                in
-                result))
-  in
-  result
-
 let ntt_vector_u
       (v_VECTOR_U_COMPRESSION_FACTOR: usize)
       (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
diff --git a/src/kem/kyber.rs b/src/kem/kyber.rs
index e61054c91..07c4bd637 100644
--- a/src/kem/kyber.rs
+++ b/src/kem/kyber.rs
@@ -13,6 +13,7 @@ mod constant_time_ops;
 mod conversions;
 mod hash_functions;
 mod ind_cpa;
+mod matrix;
 mod ntt;
 mod sampling;
 mod serialize;
diff --git a/src/kem/kyber/ind_cpa.rs b/src/kem/kyber/ind_cpa.rs
index 1312f627b..018aa675c 100644
--- a/src/kem/kyber/ind_cpa.rs
+++ b/src/kem/kyber/ind_cpa.rs
@@ -7,6 +7,7 @@ use super::{
     conversions::into_padded_array,
     conversions::{UpdatableArray, UpdatingArray},
     hash_functions::{XOFx4, G, H, PRF},
+    matrix::*,
     ntt::*,
     sampling::{sample_from_binomial_distribution, sample_from_uniform_distribution},
     serialize::{
diff --git a/src/kem/kyber/matrix.rs b/src/kem/kyber/matrix.rs
new file mode 100644
index 000000000..fae50d290
--- /dev/null
+++ b/src/kem/kyber/matrix.rs
@@ -0,0 +1,112 @@
+use super::{
+    arithmetic::{
+        add_to_ring_element, barrett_reduce, montgomery_reduce, KyberPolynomialRingElement,
+    },
+    ntt::{invert_ntt_montgomery, ntt_multiply},
+};
+
+#[inline(always)]
+pub(in crate::kem::kyber) fn compute_message<const K: usize>(
+    v: &KyberPolynomialRingElement,
+    secret_as_ntt: &[KyberPolynomialRingElement; K],
+    u_as_ntt: &[KyberPolynomialRingElement; K],
+) -> KyberPolynomialRingElement {
+    let mut result = KyberPolynomialRingElement::ZERO;
+
+    for i in 0..K {
+        let product = ntt_multiply(&secret_as_ntt[i], &u_as_ntt[i]);
+        result = add_to_ring_element::<K>(result, &product);
+    }
+
+    result = invert_ntt_montgomery::<K>(result);
+
+    for i in 0..result.coefficients.len() {
+        let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
+        result.coefficients[i] = barrett_reduce(v.coefficients[i] - coefficient_normal_form);
+    }
+
+    result
+}
+
+// v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1)
+#[inline(always)]
+pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
+    t_as_ntt: &[KyberPolynomialRingElement; K],
+    r_as_ntt: &[KyberPolynomialRingElement; K],
+    error_2: &KyberPolynomialRingElement,
+    message: &KyberPolynomialRingElement,
+) -> KyberPolynomialRingElement {
+    let mut result = KyberPolynomialRingElement::ZERO;
+
+    for i in 0..K {
+        let product = ntt_multiply(&t_as_ntt[i], &r_as_ntt[i]);
+        result = add_to_ring_element::<K>(result, &product);
+    }
+
+    result = invert_ntt_montgomery::<K>(result);
+
+    for i in 0..result.coefficients.len() {
+        let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
+        result.coefficients[i] = barrett_reduce(
+            coefficient_normal_form + error_2.coefficients[i] + message.coefficients[i],
+        );
+    }
+
+    result
+}
+
+// u := NTT^{-1}(AˆT ◦ rˆ) + e_1
+#[inline(always)]
+pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
+    a_as_ntt: &[[KyberPolynomialRingElement; K]; K],
+    r_as_ntt: &[KyberPolynomialRingElement; K],
+    error_1: &[KyberPolynomialRingElement; K],
+) -> [KyberPolynomialRingElement; K] {
+    let mut result = [KyberPolynomialRingElement::ZERO; K];
+
+    for (i, row) in a_as_ntt.iter().enumerate() {
+        for (j, a_element) in row.iter().enumerate() {
+            let product = ntt_multiply(a_element, &r_as_ntt[j]);
+            result[i] = add_to_ring_element::<K>(result[i], &product);
+        }
+
+        result[i] = invert_ntt_montgomery::<K>(result[i]);
+
+        for j in 0..result[i].coefficients.len() {
+            let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1441);
+
+            result[i].coefficients[j] =
+                barrett_reduce(coefficient_normal_form + error_1[i].coefficients[j]);
+        }
+    }
+
+    result
+}
+
+#[inline(always)]
+#[allow(non_snake_case)]
+pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
+    matrix_A: &[[KyberPolynomialRingElement; K]; K],
+    s_as_ntt: &[KyberPolynomialRingElement; K],
+    error_as_ntt: &[KyberPolynomialRingElement; K],
+) -> [KyberPolynomialRingElement; K] {
+    let mut result = [KyberPolynomialRingElement::ZERO; K];
+
+    for (i, row) in matrix_A.iter().enumerate() {
+        for (j, matrix_element) in row.iter().enumerate() {
+            let product = ntt_multiply(matrix_element, &s_as_ntt[j]);
+            result[i] = add_to_ring_element::<K>(result[i], &product);
+        }
+
+        for j in 0..result[i].coefficients.len() {
+            // The coefficients are of the form aR^{-1} mod q, which means
+            // calling to_montgomery_domain() on them should return a mod q.
+            let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1353);
+
+            result[i].coefficients[j] =
+                barrett_reduce(coefficient_normal_form + error_as_ntt[i].coefficients[j])
+        }
+    }
+
+    result
+}
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 346feeb68..ebb24e486 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,7 +1,6 @@
 use super::{
     arithmetic::{
-        add_to_ring_element, barrett_reduce, montgomery_reduce, KyberFieldElement,
-        KyberPolynomialRingElement,
+        barrett_reduce, montgomery_reduce, KyberFieldElement, KyberPolynomialRingElement,
     },
     constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
@@ -108,7 +107,7 @@ pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usi
 }
 
 #[inline(always)]
-fn invert_ntt_montgomery<const K: usize>(
+pub(crate) fn invert_ntt_montgomery<const K: usize>(
     mut re: KyberPolynomialRingElement,
 ) -> KyberPolynomialRingElement {
     // We only ever call this function after matrix/vector multiplication
@@ -179,7 +178,7 @@ fn ntt_multiply_binomials(
 }
 
 #[inline(always)]
-fn ntt_multiply(
+pub(crate) fn ntt_multiply(
     left: &KyberPolynomialRingElement,
     right: &KyberPolynomialRingElement,
 ) -> KyberPolynomialRingElement {
@@ -219,109 +218,3 @@ fn ntt_multiply(
 
     out
 }
-
-#[inline(always)]
-pub(in crate::kem::kyber) fn compute_message<const K: usize>(
-    v: &KyberPolynomialRingElement,
-    secret_as_ntt: &[KyberPolynomialRingElement; K],
-    u_as_ntt: &[KyberPolynomialRingElement; K],
-) -> KyberPolynomialRingElement {
-    let mut result = KyberPolynomialRingElement::ZERO;
-
-    for i in 0..K {
-        let product = ntt_multiply(&secret_as_ntt[i], &u_as_ntt[i]);
-        result = add_to_ring_element::<K>(result, &product);
-    }
-
-    result = invert_ntt_montgomery::<K>(result);
-
-    for i in 0..result.coefficients.len() {
-        let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
-        result.coefficients[i] = barrett_reduce(v.coefficients[i] - coefficient_normal_form);
-    }
-
-    result
-}
-
-// v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1)
-#[inline(always)]
-pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
-    t_as_ntt: &[KyberPolynomialRingElement; K],
-    r_as_ntt: &[KyberPolynomialRingElement; K],
-    error_2: &KyberPolynomialRingElement,
-    message: &KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
-    let mut result = KyberPolynomialRingElement::ZERO;
-
-    for i in 0..K {
-        let product = ntt_multiply(&t_as_ntt[i], &r_as_ntt[i]);
-        result = add_to_ring_element::<K>(result, &product);
-    }
-
-    result = invert_ntt_montgomery::<K>(result);
-
-    for i in 0..result.coefficients.len() {
-        let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
-        result.coefficients[i] = barrett_reduce(
-            coefficient_normal_form + error_2.coefficients[i] + message.coefficients[i],
-        );
-    }
-
-    result
-}
-
-// u := NTT^{-1}(AˆT ◦ rˆ) + e_1
-#[inline(always)]
-pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
-    a_as_ntt: &[[KyberPolynomialRingElement; K]; K],
-    r_as_ntt: &[KyberPolynomialRingElement; K],
-    error_1: &[KyberPolynomialRingElement; K],
-) -> [KyberPolynomialRingElement; K] {
-    let mut result = [KyberPolynomialRingElement::ZERO; K];
-
-    for (i, row) in a_as_ntt.iter().enumerate() {
-        for (j, a_element) in row.iter().enumerate() {
-            let product = ntt_multiply(a_element, &r_as_ntt[j]);
-            result[i] = add_to_ring_element::<K>(result[i], &product);
-        }
-
-        result[i] = invert_ntt_montgomery::<K>(result[i]);
-
-        for j in 0..result[i].coefficients.len() {
-            let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1441);
-
-            result[i].coefficients[j] =
-                barrett_reduce(coefficient_normal_form + error_1[i].coefficients[j]);
-        }
-    }
-
-    result
-}
-
-#[inline(always)]
-#[allow(non_snake_case)]
-pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
-    matrix_A: &[[KyberPolynomialRingElement; K]; K],
-    s_as_ntt: &[KyberPolynomialRingElement; K],
-    error_as_ntt: &[KyberPolynomialRingElement; K],
-) -> [KyberPolynomialRingElement; K] {
-    let mut result = [KyberPolynomialRingElement::ZERO; K];
-
-    for (i, row) in matrix_A.iter().enumerate() {
-        for (j, matrix_element) in row.iter().enumerate() {
-            let product = ntt_multiply(matrix_element, &s_as_ntt[j]);
-            result[i] = add_to_ring_element::<K>(result[i], &product);
-        }
-
-        for j in 0..result[i].coefficients.len() {
-            // The coefficients are of the form aR^{-1} mod q, which means
-            // calling to_montgomery_domain() on them should return a mod q.
-            let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1353);
-
-            result[i].coefficients[j] =
-                barrett_reduce(coefficient_normal_form + error_as_ntt[i].coefficients[j])
-        }
-    }
-
-    result
-}

From da0f6cc2e481bc8549c7a9126f786d009c0595b0 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 18:06:57 -0500
Subject: [PATCH 02/24] KyberPolynomialRingElement -> PolynomialRingElement.

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          |  15 +-
 .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst  | 213 ++++----
 .../extraction/Libcrux.Kem.Kyber.Matrix.fst   | 216 ++++----
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 509 ++++++++----------
 .../extraction/Libcrux.Kem.Kyber.Sampling.fst |  77 ++-
 .../Libcrux.Kem.Kyber.Serialize.fst           | 185 ++++---
 src/kem/kyber/arithmetic.rs                   |  10 +-
 src/kem/kyber/ind_cpa.rs                      |  26 +-
 src/kem/kyber/matrix.rs                       |  46 +-
 src/kem/kyber/ntt.rs                          |  24 +-
 src/kem/kyber/sampling.rs                     |  16 +-
 src/kem/kyber/serialize.rs                    |  56 +-
 12 files changed, 649 insertions(+), 744 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index a5203c38c..25cc8e7dd 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -95,16 +95,15 @@ let to_unsigned_representative (fe: i32)
   <:
   u16
 
-type t_KyberPolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) }
+type t_PolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) }
 
-let impl__KyberPolynomialRingElement__ZERO: t_KyberPolynomialRingElement =
-  { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_KyberPolynomialRingElement
+let impl__PolynomialRingElement__ZERO: t_PolynomialRingElement =
+  { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_PolynomialRingElement
 
-let add_to_ring_element (v_K: usize) (lhs rhs: t_KyberPolynomialRingElement)
-    : t_KyberPolynomialRingElement =
+let add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) : t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   let _:Prims.unit = () <: Prims.unit in
-  let lhs:t_KyberPolynomialRingElement =
+  let lhs:t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end
@@ -119,7 +118,7 @@ let add_to_ring_element (v_K: usize) (lhs rhs: t_KyberPolynomialRingElement)
         Core.Ops.Range.t_Range usize)
       lhs
       (fun lhs i ->
-          let lhs:t_KyberPolynomialRingElement = lhs in
+          let lhs:t_PolynomialRingElement = lhs in
           let i:usize = i in
           {
             lhs with
@@ -132,7 +131,7 @@ let add_to_ring_element (v_K: usize) (lhs rhs: t_KyberPolynomialRingElement)
             t_Array i32 (sz 256)
           }
           <:
-          t_KyberPolynomialRingElement)
+          t_PolynomialRingElement)
   in
   let _:Prims.unit = () <: Prims.unit in
   lhs
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
index 2ad51cac6..fa7fd5bfd 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
@@ -33,14 +33,13 @@ let serialize_secret_key
       Libcrux.Kem.Kyber.Conversions.t_UpdatableArray v_SERIALIZED_KEY_LEN)
 
 let cbd (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) (prf_input: t_Array u8 (sz 33))
-    : (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K & u8) =
+    : (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8) =
   let domain_separator:u8 = 0uy in
-  let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
   let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) &
-    t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) =
+    t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = v_K
@@ -51,11 +50,11 @@ let cbd (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) (prf_input: t_Array u8 (sz 33))
         Core.Ops.Range.t_Range usize)
       (domain_separator, prf_input, re_as_ntt
         <:
-        (u8 & t_Array u8 (sz 33) &
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+        (u8 & t_Array u8 (sz 33) & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
+      )
       (fun temp_0_ i ->
           let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) =
+            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
             temp_0_
           in
           let i:usize = i in
@@ -67,42 +66,41 @@ let cbd (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) (prf_input: t_Array u8 (sz 33))
             Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA_RANDOMNESS_SIZE
               (Rust_primitives.unsize prf_input <: t_Slice u8)
           in
-          let r:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA
               (Rust_primitives.unsize prf_output <: t_Slice u8)
           in
-          let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Rust_primitives.Hax.update_at re_as_ntt
               i
               (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element r
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
           domain_separator, prf_input, re_as_ntt
           <:
           (u8 & t_Array u8 (sz 33) &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
   in
   re_as_ntt, domain_separator
   <:
-  (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K & u8)
+  (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8)
 
 let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
-    : (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+    : (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
-  let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    v_K =
-    Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K =
+    Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
           v_K
         <:
-        t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+        t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
       v_K
   in
   let sampling_A_error:Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error =
     Core.Option.Option_None <: Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error
   in
   let v_A_transpose, sampling_A_error:(t_Array
-      (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+      (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
     Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
@@ -114,11 +112,11 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
         Core.Ops.Range.t_Range usize)
       (v_A_transpose, sampling_A_error
         <:
-        (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+        (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
           Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error))
       (fun temp_0_ i ->
           let v_A_transpose, sampling_A_error:(t_Array
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
             Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
             temp_0_
           in
@@ -170,16 +168,16 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
               Core.Ops.Range.t_Range usize)
             (v_A_transpose, sampling_A_error
               <:
-              (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+              (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
                 Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error))
             (fun temp_0_ j ->
                 let v_A_transpose, sampling_A_error:(t_Array
-                    (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+                    (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
                   Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
                   temp_0_
                 in
                 let j:usize = j in
-                let sampled, error:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+                let sampled, error:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
                   Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
                   Libcrux.Kem.Kyber.Sampling.sample_from_uniform_distribution (sz 840)
                     (xof_bytes.[ j ] <: t_Array u8 (sz 840))
@@ -196,68 +194,64 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
                 if transpose
                 then
                   let v_A_transpose:t_Array
-                    (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K =
+                    (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K =
                     Rust_primitives.Hax.update_at v_A_transpose
                       j
                       (Rust_primitives.Hax.update_at (v_A_transpose.[ j ]
                             <:
-                            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+                            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
                           i
                           sampled
                         <:
-                        t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+                        t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
                   in
                   v_A_transpose, sampling_A_error
                   <:
-                  (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-                      v_K &
+                  (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
                     Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)
                 else
                   let v_A_transpose:t_Array
-                    (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K =
+                    (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K =
                     Rust_primitives.Hax.update_at v_A_transpose
                       i
                       (Rust_primitives.Hax.update_at (v_A_transpose.[ i ]
                             <:
-                            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+                            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
                           j
                           sampled
                         <:
-                        t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+                        t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
                   in
                   v_A_transpose, sampling_A_error
                   <:
-                  (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-                      v_K &
+                  (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
                     Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)))
   in
   v_A_transpose, sampling_A_error
   <:
-  (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+  (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
     Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)
 
 let compress_then_encode_u
       (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize)
-      (input: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+      (input: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
     : t_Array u8 v_OUT_LEN =
   let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
   let out:t_Array u8 v_OUT_LEN =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Iter.Traits.Collect.f_into_iter input
                 <:
-                Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                  v_K)
+                Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
             <:
             Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                v_K))
+            (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
         <:
         Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+        (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
       out
       (fun out temp_1_ ->
           let out:t_Array u8 v_OUT_LEN = out in
-          let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) = temp_1_ in
+          let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = temp_1_ in
           Rust_primitives.Hax.update_at out
             ({
                 Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize;
@@ -292,26 +286,24 @@ let compress_then_encode_u
 
 let serialize_key
       (v_K v_OUT_LEN: usize)
-      (key: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+      (key: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
     : t_Array u8 v_OUT_LEN =
   let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
   let out:t_Array u8 v_OUT_LEN =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Iter.Traits.Collect.f_into_iter key
                 <:
-                Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                  v_K)
+                Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
             <:
             Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                v_K))
+            (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
         <:
         Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+        (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
       out
       (fun out temp_1_ ->
           let out:t_Array u8 v_OUT_LEN = out in
-          let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) = temp_1_ in
+          let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = temp_1_ in
           Rust_primitives.Hax.update_at out
             ({
                 Core.Ops.Range.f_start
@@ -358,15 +350,13 @@ let decrypt
       (secret_key: t_Slice u8)
       (ciphertext: Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE)
     : t_Array u8 (sz 32) =
-  let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
-  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
-  let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact (ciphertext.Libcrux.Kem.Kyber.Types.f_value.[ {
                         Core.Ops.Range.f_end = v_VECTOR_U_ENCODED_SIZE
@@ -390,24 +380,24 @@ let decrypt
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       u_as_ntt
       (fun u_as_ntt temp_1_ ->
-          let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             u_as_ntt
           in
           let i, u_bytes:(usize & t_Slice u8) = temp_1_ in
-          let u:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let u:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR
               u_bytes
           in
-          let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Rust_primitives.Hax.update_at u_as_ntt
               i
               (Libcrux.Kem.Kyber.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR u
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
           u_as_ntt)
   in
-  let v:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let v:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR
       (ciphertext.Libcrux.Kem.Kyber.Types.f_value.[ {
             Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE
@@ -417,7 +407,7 @@ let decrypt
         <:
         t_Slice u8)
   in
-  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact secret_key
                   Libcrux.Kem.Kyber.Constants.v_BYTES_PER_RING_ELEMENT
@@ -429,7 +419,7 @@ let decrypt
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       secret_as_ntt
       (fun secret_as_ntt temp_1_ ->
-          let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             secret_as_ntt
           in
           let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in
@@ -437,11 +427,11 @@ let decrypt
             i
             (Libcrux.Kem.Kyber.Serialize.deserialize_to_uncompressed_ring_element secret_bytes
               <:
-              Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+              Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           <:
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+          t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
   in
-  let message:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let message:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Matrix.compute_message v_K v secret_as_ntt u_as_ntt
   in
   Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message
@@ -454,11 +444,10 @@ let encrypt
       (randomness: t_Slice u8)
     : (Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
-  let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
-  let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact (public_key.[ {
                         Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE
@@ -476,7 +465,7 @@ let encrypt
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       tt_as_ntt
       (fun tt_as_ntt temp_1_ ->
-          let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             tt_as_ntt
           in
           let i, tt_as_ntt_bytes:(usize & t_Slice u8) = temp_1_ in
@@ -484,9 +473,9 @@ let encrypt
             i
             (Libcrux.Kem.Kyber.Serialize.deserialize_to_uncompressed_ring_element tt_as_ntt_bytes
               <:
-              Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+              Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           <:
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
+          t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
   in
   let seed:t_Slice u8 =
     public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
@@ -494,7 +483,7 @@ let encrypt
       Core.Ops.Range.t_RangeFrom usize ]
   in
   let v_A_transpose, sampling_A_error:(t_Array
-      (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+      (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
     Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
     sample_matrix_A v_K
       (Libcrux.Kem.Kyber.Conversions.into_padded_array (sz 34) seed <: t_Array u8 (sz 34))
@@ -503,17 +492,15 @@ let encrypt
   let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) =
     Libcrux.Kem.Kyber.Conversions.into_padded_array (sz 33) randomness
   in
-  let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-      v_K &
+  let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
     u8) =
     cbd v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input
   in
-  let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
   let domain_separator, error_1_, prf_input:(u8 &
-    t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
+    t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
     t_Array u8 (sz 33)) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
@@ -525,11 +512,11 @@ let encrypt
         Core.Ops.Range.t_Range usize)
       (domain_separator, error_1_, prf_input
         <:
-        (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
-          t_Array u8 (sz 33)))
+        (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array u8 (sz 33))
+      )
       (fun temp_0_ i ->
           let domain_separator, error_1_, prf_input:(u8 &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
+            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
             t_Array u8 (sz 33)) =
             temp_0_
           in
@@ -542,17 +529,17 @@ let encrypt
             Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE
               (Rust_primitives.unsize prf_input <: t_Slice u8)
           in
-          let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Rust_primitives.Hax.update_at error_1_
               i
               (Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2
                   (Rust_primitives.unsize prf_output <: t_Slice u8)
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
           domain_separator, error_1_, prf_input
           <:
-          (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
+          (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
             t_Array u8 (sz 33)))
   in
   let prf_input:t_Array u8 (sz 33) =
@@ -562,17 +549,17 @@ let encrypt
     Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE
       (Rust_primitives.unsize prf_input <: t_Slice u8)
   in
-  let error_2_:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let error_2_:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2
       (Rust_primitives.unsize prf_output <: t_Slice u8)
   in
-  let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Libcrux.Kem.Kyber.Matrix.compute_vector_u v_K v_A_transpose r_as_ntt error_1_
   in
-  let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_message message
   in
-  let v:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let v:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Matrix.compute_ring_element_v v_K
       tt_as_ntt
       r_as_ntt
@@ -616,13 +603,11 @@ let generate_keypair
         Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
   let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = Rust_primitives.Hax.repeat 0uy (sz 33) in
-  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
-  let error_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+  let error_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
   let (domain_separator: u8):u8 = 0uy in
   let hashed:t_Array u8 (sz 64) = Libcrux.Kem.Kyber.Hash_functions.v_G key_generation_seed in
@@ -630,7 +615,7 @@ let generate_keypair
     Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) (sz 32)
   in
   let v_A_transpose, sampling_A_error:(t_Array
-      (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K &
+      (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K &
     Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
     sample_matrix_A v_K
       (Libcrux.Kem.Kyber.Conversions.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34))
@@ -657,7 +642,7 @@ let generate_keypair
         t_Slice u8)
   in
   let domain_separator, prf_input, secret_as_ntt:(u8 & t_Array u8 (sz 33) &
-    t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) =
+    t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = v_K
@@ -668,11 +653,11 @@ let generate_keypair
         Core.Ops.Range.t_Range usize)
       (domain_separator, prf_input, secret_as_ntt
         <:
-        (u8 & t_Array u8 (sz 33) &
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+        (u8 & t_Array u8 (sz 33) & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
+      )
       (fun temp_0_ i ->
           let domain_separator, prf_input, secret_as_ntt:(u8 & t_Array u8 (sz 33) &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) =
+            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
             temp_0_
           in
           let i:usize = i in
@@ -684,24 +669,24 @@ let generate_keypair
             Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA1_RANDOMNESS_SIZE
               (Rust_primitives.unsize prf_input <: t_Slice u8)
           in
-          let secret:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let secret:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA1
               (Rust_primitives.unsize prf_output <: t_Slice u8)
           in
-          let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Rust_primitives.Hax.update_at secret_as_ntt
               i
               (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element secret
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
           domain_separator, prf_input, secret_as_ntt
           <:
           (u8 & t_Array u8 (sz 33) &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
   in
   let domain_separator, error_as_ntt, prf_input:(u8 &
-    t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
+    t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
     t_Array u8 (sz 33)) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
@@ -713,11 +698,11 @@ let generate_keypair
         Core.Ops.Range.t_Range usize)
       (domain_separator, error_as_ntt, prf_input
         <:
-        (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
-          t_Array u8 (sz 33)))
+        (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array u8 (sz 33))
+      )
       (fun temp_0_ i ->
           let domain_separator, error_as_ntt, prf_input:(u8 &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
+            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
             t_Array u8 (sz 33)) =
             temp_0_
           in
@@ -730,23 +715,23 @@ let generate_keypair
             Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA1_RANDOMNESS_SIZE
               (Rust_primitives.unsize prf_input <: t_Slice u8)
           in
-          let error:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let error:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA1
               (Rust_primitives.unsize prf_output <: t_Slice u8)
           in
-          let error_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let error_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Rust_primitives.Hax.update_at error_as_ntt
               i
               (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element error
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
           domain_separator, error_as_ntt, prf_input
           <:
-          (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K &
+          (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
             t_Array u8 (sz 33)))
   in
-  let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Libcrux.Kem.Kyber.Matrix.compute_As_plus_e v_K v_A_transpose secret_as_ntt error_as_ntt
   in
   let public_key_serialized:Libcrux.Kem.Kyber.Conversions.t_UpdatableArray v_PUBLIC_KEY_SIZE =
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
index 2a9f79b52..d1a9d6756 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
@@ -5,76 +5,67 @@ open FStar.Mul
 
 let compute_As_plus_e
       (v_K: usize)
-      (matrix_A:
-          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
-      (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+      (matrix_A: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K)
+      (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
+    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A
                     <:
-                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
                 <:
                 Core.Slice.Iter.t_Iter
-                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
             <:
             Core.Iter.Adapters.Enumerate.t_Enumerate
             (Core.Slice.Iter.t_Iter
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)))
         <:
         Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Slice.Iter.t_Iter
-          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+        (Core.Slice.Iter.t_Iter (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)))
       result
       (fun result temp_1_ ->
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            result
-          in
-          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-          =
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = result in
+          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
             temp_1_
           in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
                       (Core.Slice.impl__iter (Rust_primitives.unsize row
                             <:
-                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                         <:
-                        Core.Slice.Iter.t_Iter
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                     <:
                     Core.Iter.Adapters.Enumerate.t_Enumerate
-                    (Core.Slice.Iter.t_Iter
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                    (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))
                 <:
                 Core.Iter.Adapters.Enumerate.t_Enumerate
-                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))
               result
               (fun result temp_1_ ->
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                     result
                   in
                   let j, matrix_element:(usize &
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) =
                     temp_1_
                   in
-                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     Libcrux.Kem.Kyber.Ntt.ntt_multiply matrix_element
-                      (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                      (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                   in
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                     Rust_primitives.Hax.update_at result
                       i
                       (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
-                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                          )
+                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                           product
                         <:
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                   in
                   result)
           in
@@ -84,7 +75,7 @@ let compute_As_plus_e
                     =
                     Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
                             <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                             .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         <:
                         t_Slice i32)
@@ -97,14 +88,14 @@ let compute_As_plus_e
               Core.Ops.Range.t_Range usize)
             result
             (fun result j ->
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                   result
                 in
                 let j:usize = j in
                 let coefficient_normal_form:i32 =
                   Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
                           <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
                         <:
                         i32) *!
@@ -115,18 +106,18 @@ let compute_As_plus_e
                 Rust_primitives.Hax.update_at result
                   i
                   ({
-                      (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
+                      (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
                       Rust_primitives.Hax.update_at (result.[ i ]
                           <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
                               ((error_as_ntt.[ i ]
                                   <:
-                                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                                  Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                                   .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
                                 <:
                                 i32)
@@ -138,20 +129,19 @@ let compute_As_plus_e
                       t_Array i32 (sz 256)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)))
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)))
   in
   result
 
 let compute_message
       (v_K: usize)
-      (v: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-      (secret_as_ntt u_as_ntt:
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+      (v: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+      (secret_as_ntt u_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = v_K
@@ -162,23 +152,23 @@ let compute_message
         Core.Ops.Range.t_Range usize)
       result
       (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in
           let i:usize = i in
-          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Ntt.ntt_multiply (secret_as_ntt.[ i ]
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-              (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+              (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
           in
           result)
   in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
   in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end
@@ -196,7 +186,7 @@ let compute_message
         Core.Ops.Range.t_Range usize)
       result
       (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in
           let i:usize = i in
           let coefficient_normal_form:i32 =
             Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
@@ -207,7 +197,7 @@ let compute_message
                 <:
                 i32)
           in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               result with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -225,7 +215,7 @@ let compute_message
                   i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           result)
   in
@@ -233,13 +223,13 @@ let compute_message
 
 let compute_ring_element_v
       (v_K: usize)
-      (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-      (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+      (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
+      (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = v_K
@@ -250,23 +240,23 @@ let compute_ring_element_v
         Core.Ops.Range.t_Range usize)
       result
       (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in
           let i:usize = i in
-          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Ntt.ntt_multiply (tt_as_ntt.[ i ]
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-              (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+              (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
           in
           result)
   in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
   in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end
@@ -284,7 +274,7 @@ let compute_ring_element_v
         Core.Ops.Range.t_Range usize)
       result
       (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in
           let i:usize = i in
           let coefficient_normal_form:i32 =
             Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
@@ -295,7 +285,7 @@ let compute_ring_element_v
                 <:
                 i32)
           in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               result with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -313,7 +303,7 @@ let compute_ring_element_v
                   i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           result)
   in
@@ -321,86 +311,76 @@ let compute_ring_element_v
 
 let compute_vector_u
       (v_K: usize)
-      (a_as_ntt:
-          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
-      (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
+      (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K)
+      (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
+    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
+    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt
                     <:
-                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
                 <:
                 Core.Slice.Iter.t_Iter
-                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
+                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
             <:
             Core.Iter.Adapters.Enumerate.t_Enumerate
             (Core.Slice.Iter.t_Iter
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)))
         <:
         Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Slice.Iter.t_Iter
-          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
+        (Core.Slice.Iter.t_Iter (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)))
       result
       (fun result temp_1_ ->
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            result
-          in
-          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-          =
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = result in
+          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
             temp_1_
           in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
                       (Core.Slice.impl__iter (Rust_primitives.unsize row
                             <:
-                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                         <:
-                        Core.Slice.Iter.t_Iter
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                     <:
                     Core.Iter.Adapters.Enumerate.t_Enumerate
-                    (Core.Slice.Iter.t_Iter
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                    (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))
                 <:
                 Core.Iter.Adapters.Enumerate.t_Enumerate
-                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
+                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))
               result
               (fun result temp_1_ ->
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                     result
                   in
-                  let j, a_element:(usize &
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
+                  let j, a_element:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) =
                     temp_1_
                   in
-                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     Libcrux.Kem.Kyber.Ntt.ntt_multiply a_element
-                      (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                      (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                   in
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                     Rust_primitives.Hax.update_at result
                       i
                       (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
-                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                          )
+                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                           product
                         <:
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                        Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                   in
                   result)
           in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
             Rust_primitives.Hax.update_at result
               i
               (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K
-                  (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                  (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                 <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
           in
           Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                     Core.Ops.Range.f_start = sz 0;
@@ -408,7 +388,7 @@ let compute_vector_u
                     =
                     Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
                             <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                             .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         <:
                         t_Slice i32)
@@ -421,14 +401,14 @@ let compute_vector_u
               Core.Ops.Range.t_Range usize)
             result
             (fun result j ->
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                   result
                 in
                 let j:usize = j in
                 let coefficient_normal_form:i32 =
                   Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
                           <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
                         <:
                         i32) *!
@@ -436,22 +416,22 @@ let compute_vector_u
                       <:
                       i32)
                 in
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
+                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
                   Rust_primitives.Hax.update_at result
                     i
                     ({
-                        (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
+                        (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with
                         Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         =
                         Rust_primitives.Hax.update_at (result.[ i ]
                             <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                             .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                           j
                           (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
                                 ((error_1_.[ i ]
                                     <:
-                                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                                     .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
                                   <:
                                   i32)
@@ -463,7 +443,7 @@ let compute_vector_u
                         t_Array i32 (sz 256)
                       }
                       <:
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+                      Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                 in
                 result))
   in
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index 19ca7c8d7..141ee1e5d 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -31,14 +31,12 @@ let ntt_multiply_binomials (a0, a1: (i32 & i32)) (b0, b1: (i32 & i32)) (zeta: i3
   <:
   (i32 & i32)
 
-let invert_ntt_montgomery
-      (v_K: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   let zeta_i:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in
   let step:usize = sz 1 <<! 1l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -47,15 +45,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -66,13 +62,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -87,9 +83,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -104,14 +100,14 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let step:usize = sz 1 <<! 2l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -120,15 +116,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -139,13 +133,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -160,9 +154,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -177,14 +171,14 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let step:usize = sz 1 <<! 3l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -193,15 +187,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -212,13 +204,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -233,9 +225,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -250,14 +242,14 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let step:usize = sz 1 <<! 4l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -266,15 +258,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -285,13 +275,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -306,9 +296,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -323,14 +313,14 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let step:usize = sz 1 <<! 5l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -339,15 +329,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -358,13 +346,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -379,9 +367,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -396,14 +384,14 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let step:usize = sz 1 <<! 6l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -412,15 +400,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -431,13 +417,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -452,9 +438,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -469,14 +455,14 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let step:usize = sz 1 <<! 7l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -485,15 +471,13 @@ let invert_ntt_montgomery
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -504,13 +488,13 @@ let invert_ntt_montgomery
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let a_minus_b:i32 =
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
                     (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -525,9 +509,9 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -542,15 +526,15 @@ let invert_ntt_montgomery
                           i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 8
@@ -561,7 +545,7 @@ let invert_ntt_montgomery
         Core.Ops.Range.t_Range usize)
       re
       (fun re i ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i:usize = i in
           {
             re with
@@ -579,17 +563,16 @@ let invert_ntt_montgomery
             t_Array i32 (sz 256)
           }
           <:
-          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
   in
   re
 
-let ntt_binomially_sampled_ring_element
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   let zeta_i:usize = sz 0 in
   let zeta_i:usize = zeta_i +! sz 1 in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128
@@ -600,13 +583,13 @@ let ntt_binomially_sampled_ring_element
         Core.Ops.Range.t_Range usize)
       re
       (fun re j ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let j:usize = j in
           let t:i32 =
             (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ] <: i32) *!
             (-1600l)
           in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -616,9 +599,9 @@ let ntt_binomially_sampled_ring_element
                 ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -628,13 +611,13 @@ let ntt_binomially_sampled_ring_element
                 ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           re)
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 6l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -643,15 +626,13 @@ let ntt_binomially_sampled_ring_element
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -662,7 +643,7 @@ let ntt_binomially_sampled_ring_element
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -673,7 +654,7 @@ let ntt_binomially_sampled_ring_element
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -683,9 +664,9 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -695,15 +676,15 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 5l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -712,15 +693,13 @@ let ntt_binomially_sampled_ring_element
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -731,7 +710,7 @@ let ntt_binomially_sampled_ring_element
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -742,7 +721,7 @@ let ntt_binomially_sampled_ring_element
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -752,9 +731,9 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -764,15 +743,15 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 4l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -781,15 +760,13 @@ let ntt_binomially_sampled_ring_element
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -800,7 +777,7 @@ let ntt_binomially_sampled_ring_element
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -811,7 +788,7 @@ let ntt_binomially_sampled_ring_element
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -821,9 +798,9 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -833,15 +810,15 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 3l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -850,15 +827,13 @@ let ntt_binomially_sampled_ring_element
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -869,7 +844,7 @@ let ntt_binomially_sampled_ring_element
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -880,7 +855,7 @@ let ntt_binomially_sampled_ring_element
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -890,9 +865,9 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -902,15 +877,15 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 2l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -919,15 +894,13 @@ let ntt_binomially_sampled_ring_element
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -938,7 +911,7 @@ let ntt_binomially_sampled_ring_element
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -949,7 +922,7 @@ let ntt_binomially_sampled_ring_element
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -959,9 +932,9 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -971,15 +944,15 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 1l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -988,15 +961,13 @@ let ntt_binomially_sampled_ring_element
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1007,7 +978,7 @@ let ntt_binomially_sampled_ring_element
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1018,7 +989,7 @@ let ntt_binomially_sampled_ring_element
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1028,9 +999,9 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1040,14 +1011,14 @@ let ntt_binomially_sampled_ring_element
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     {
       re with
       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1057,18 +1028,18 @@ let ntt_binomially_sampled_ring_element
         Libcrux.Kem.Kyber.Arithmetic.barrett_reduce
     }
     <:
-    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
   in
   re
 
-let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   let _:Prims.unit = () <: Prims.unit in
-  let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end
@@ -1081,7 +1052,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
         Core.Ops.Range.t_Range usize)
       out
       (fun out i ->
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = out in
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in
           let i:usize = i in
           let product:(i32 & i32) =
             ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i
@@ -1106,7 +1077,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
                 (i32 & i32))
               (v_ZETAS_MONTGOMERY_DOMAIN.[ sz 64 +! i <: usize ] <: i32)
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1116,9 +1087,9 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
                 product._1
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1128,7 +1099,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
                 product._2
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let product:(i32 & i32) =
             ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i
@@ -1162,7 +1133,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
                 <:
                 i32)
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1172,9 +1143,9 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
                 product._1
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1184,7 +1155,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
                 product._2
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           out)
   in
@@ -1193,12 +1164,12 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRing
 
 let ntt_vector_u
       (v_VECTOR_U_COMPRESSION_FACTOR: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   let zeta_i:usize = sz 0 in
   let step:usize = sz 1 <<! 7l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1207,15 +1178,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1226,7 +1195,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1237,7 +1206,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1247,9 +1216,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1259,15 +1228,15 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 6l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1276,15 +1245,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1295,7 +1262,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1306,7 +1273,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1316,9 +1283,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1328,15 +1295,15 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 5l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1345,15 +1312,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1364,7 +1329,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1375,7 +1340,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1385,9 +1350,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1397,15 +1362,15 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 4l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1414,15 +1379,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1433,7 +1396,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1444,7 +1407,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1454,9 +1417,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1466,15 +1429,15 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 3l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1483,15 +1446,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1502,7 +1463,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1513,7 +1474,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1523,9 +1484,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1535,15 +1496,15 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 2l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1552,15 +1513,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1571,7 +1530,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1582,7 +1541,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1592,9 +1551,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1604,15 +1563,15 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
   let step:usize = sz 1 <<! 1l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -1621,15 +1580,13 @@ let ntt_vector_u
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
           let zeta_i:usize = zeta_i +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                       Core.Ops.Range.f_start = offset;
                       Core.Ops.Range.f_end = offset +! step <: usize
@@ -1640,7 +1597,7 @@ let ntt_vector_u
                 Core.Ops.Range.t_Range usize)
               re
               (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
                     Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
@@ -1651,7 +1608,7 @@ let ntt_vector_u
                         <:
                         i32)
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1661,9 +1618,9 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1673,14 +1630,14 @@ let ntt_vector_u
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     {
       re with
       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1690,6 +1647,6 @@ let ntt_vector_u
         Libcrux.Kem.Kyber.Arithmetic.barrett_reduce
     }
     <:
-    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
   in
   re
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst
index bcb2a4d73..ff83706d7 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst
@@ -4,12 +4,12 @@ open Core
 open FStar.Mul
 
 let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
   =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8)
             <:
@@ -18,7 +18,7 @@ let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       sampled
       (fun sampled temp_1_ ->
-          let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = sampled in
+          let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in
           let chunk_number, byte_chunk:(usize & t_Slice u8) = temp_1_ in
           let (random_bits_as_u32: u32):u32 =
             (((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |.
@@ -47,7 +47,7 @@ let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
               Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range u32))
             sampled
             (fun sampled outcome_set ->
-                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = sampled in
+                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in
                 let outcome_set:u32 = outcome_set in
                 let outcome_1_:i32 =
                   cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 3ul <: u32) <: i32
@@ -58,7 +58,7 @@ let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
                   i32
                 in
                 let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in
-                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                   {
                     sampled with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -69,7 +69,7 @@ let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
                       (outcome_1_ -! outcome_2_ <: i32)
                   }
                   <:
-                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                  Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                 in
                 sampled))
   in
@@ -77,12 +77,12 @@ let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
   sampled
 
 let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
   =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8)
             <:
@@ -91,7 +91,7 @@ let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       sampled
       (fun sampled temp_1_ ->
-          let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = sampled in
+          let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in
           let chunk_number, byte_chunk:(usize & t_Slice u8) = temp_1_ in
           let (random_bits_as_u24: u32):u32 =
             ((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |.
@@ -115,7 +115,7 @@ let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
               Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range i32))
             sampled
             (fun sampled outcome_set ->
-                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = sampled in
+                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in
                 let outcome_set:i32 = outcome_set in
                 let outcome_1_:i32 =
                   cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 7ul <: u32) <: i32
@@ -126,7 +126,7 @@ let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
                   i32
                 in
                 let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in
-                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                   {
                     sampled with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -137,7 +137,7 @@ let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
                       (outcome_1_ -! outcome_2_ <: i32)
                   }
                   <:
-                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                  Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                 in
                 sampled))
   in
@@ -145,7 +145,7 @@ let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
   sampled
 
 let sample_from_binomial_distribution (v_ETA: usize) (randomness: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   match cast (v_ETA <: usize) <: u32 with
   | 2ul -> sample_from_binomial_distribution_2_ randomness
@@ -157,16 +157,15 @@ let sample_from_binomial_distribution (v_ETA: usize) (randomness: t_Slice u8)
         Rust_primitives.Hax.t_Never)
 
 let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u8 v_SEED_SIZE)
-    : (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+    : (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
   let (sampled_coefficients: usize):usize = sz 0 in
-  let (out: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+  let (out: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
   =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
   let done:bool = false in
-  let done, out, sampled_coefficients:(bool &
-    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+  let done, out, sampled_coefficients:(bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
     usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks (
                 Rust_primitives.unsize randomness <: t_Slice u8)
@@ -177,10 +176,10 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
         Core.Slice.Iter.t_Chunks u8)
       (done, out, sampled_coefficients
         <:
-        (bool & Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+        (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ bytes ->
           let done, out, sampled_coefficients:(bool &
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
             usize) =
             temp_0_
           in
@@ -192,13 +191,13 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
             let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in
             let d1:i32 = ((b2 &. 15l <: i32) <<! 8l <: i32) |. b1 in
             let d2:i32 = (b3 <<! 4l <: i32) |. (b2 >>! 4l <: i32) in
-            let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+            let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
               usize) =
               if
                 d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &&
                 sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
               then
-                let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                   {
                     out with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -208,23 +207,23 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
                       d1
                   }
                   <:
-                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                  Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                 in
                 out, sampled_coefficients +! sz 1
                 <:
-                (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize)
+                (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
               else
                 out, sampled_coefficients
                 <:
-                (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize)
+                (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
             in
-            let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+            let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
               usize) =
               if
                 d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &&
                 sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
               then
-                let out:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                   {
                     out with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -234,38 +233,38 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
                       d2
                   }
                   <:
-                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                  Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                 in
                 let sampled_coefficients:usize = sampled_coefficients +! sz 1 in
                 out, sampled_coefficients
                 <:
-                (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize)
+                (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
               else
                 out, sampled_coefficients
                 <:
-                (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize)
+                (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
             in
             if sampled_coefficients =. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
             then
               let done:bool = true in
               done, out, sampled_coefficients
               <:
-              (bool & Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize)
+              (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
             else
               done, out, sampled_coefficients
               <:
-              (bool & Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize)
+              (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
           else
             done, out, sampled_coefficients
             <:
-            (bool & Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement & usize))
+            (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   if done
   then
     let _:Prims.unit = () <: Prims.unit in
     out, (Core.Option.Option_None <: Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)
     <:
-    (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+    (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)
   else
     out,
@@ -274,5 +273,5 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
       <:
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)
     <:
-    (Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement &
+    (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error)
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
index 99ab05813..e464c1e84 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
@@ -5,7 +5,7 @@ open FStar.Mul
 
 let compress_then_serialize_10_
       (v_OUT_LEN: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 v_OUT_LEN =
   let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
   let serialized:t_Array u8 v_OUT_LEN =
@@ -93,7 +93,7 @@ let compress_then_serialize_10_
 
 let compress_then_serialize_11_
       (v_OUT_LEN: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 v_OUT_LEN =
   let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
   let serialized:t_Array u8 v_OUT_LEN =
@@ -251,7 +251,7 @@ let compress_then_serialize_11_
 
 let compress_then_serialize_4_
       (v_OUT_LEN: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 v_OUT_LEN =
   let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
   let serialized:t_Array u8 v_OUT_LEN =
@@ -306,7 +306,7 @@ let compress_then_serialize_4_
 
 let compress_then_serialize_5_
       (v_OUT_LEN: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 v_OUT_LEN =
   let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
   let serialized:t_Array u8 v_OUT_LEN =
@@ -457,7 +457,7 @@ let compress_then_serialize_5_
   in
   serialized
 
-let compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+let compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 (sz 32) =
   let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
   let serialized:t_Array u8 (sz 32) =
@@ -506,7 +506,7 @@ let compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPol
 
 let compress_then_serialize_ring_element_u
       (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 v_OUT_LEN =
   let _:Prims.unit = () <: Prims.unit in
   match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
@@ -520,7 +520,7 @@ let compress_then_serialize_ring_element_u
 
 let compress_then_serialize_ring_element_v
       (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 v_OUT_LEN =
   let _:Prims.unit = () <: Prims.unit in
   match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
@@ -533,12 +533,12 @@ let compress_then_serialize_ring_element_v
         Rust_primitives.Hax.t_Never)
 
 let deserialize_then_decompress_10_ (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact serialized (sz 5) <: Core.Slice.Iter.t_ChunksExact u8)
             <:
@@ -547,7 +547,7 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       re
       (fun re temp_1_ ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in
           let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in
@@ -555,7 +555,7 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
           let byte4:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in
           let byte5:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in
           let coefficient1:i32 = ((byte2 &. 3l <: i32) <<! 8l <: i32) |. (byte1 &. 255l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -565,10 +565,10 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient1 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient2:i32 = ((byte3 &. 15l <: i32) <<! 6l <: i32) |. (byte2 >>! 2l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -578,10 +578,10 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient2 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient3:i32 = ((byte4 &. 63l <: i32) <<! 4l <: i32) |. (byte3 >>! 4l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -591,10 +591,10 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient3 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient4:i32 = (byte5 <<! 2l <: i32) |. (byte4 >>! 6l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -604,19 +604,19 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient4 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           re)
   in
   re
 
 let deserialize_then_decompress_11_ (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact serialized (sz 11) <: Core.Slice.Iter.t_ChunksExact u8)
             <:
@@ -625,7 +625,7 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       re
       (fun re temp_1_ ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in
           let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in
@@ -639,7 +639,7 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
           let byte10:i32 = cast (bytes.[ sz 9 ] <: u8) <: i32 in
           let byte11:i32 = cast (bytes.[ sz 10 ] <: u8) <: i32 in
           let coefficient1:i32 = ((byte2 &. 7l <: i32) <<! 8l <: i32) |. byte1 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -649,10 +649,10 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient1 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient2:i32 = ((byte3 &. 63l <: i32) <<! 5l <: i32) |. (byte2 >>! 3l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -662,13 +662,13 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient2 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient3:i32 =
             (((byte5 &. 1l <: i32) <<! 10l <: i32) |. (byte4 <<! 2l <: i32) <: i32) |.
             (byte3 >>! 6l <: i32)
           in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -678,10 +678,10 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient3 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient4:i32 = ((byte6 &. 15l <: i32) <<! 7l <: i32) |. (byte5 >>! 1l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -691,10 +691,10 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient4 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient5:i32 = ((byte7 &. 127l <: i32) <<! 4l <: i32) |. (byte6 >>! 4l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -704,13 +704,13 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient5 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient6:i32 =
             (((byte9 &. 3l <: i32) <<! 9l <: i32) |. (byte8 <<! 1l <: i32) <: i32) |.
             (byte7 >>! 7l <: i32)
           in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -720,10 +720,10 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient6 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient7:i32 = ((byte10 &. 31l <: i32) <<! 6l <: i32) |. (byte9 >>! 2l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -733,10 +733,10 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient7 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient8:i32 = (byte11 <<! 3l <: i32) |. (byte10 >>! 5l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -746,19 +746,19 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient8 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           re)
   in
   re
 
 let deserialize_then_decompress_4_ (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__iter serialized <: Core.Slice.Iter.t_Iter u8)
             <:
@@ -767,10 +767,10 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Iter u8))
       re
       (fun re temp_1_ ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i, byte:(usize & u8) = temp_1_ in
           let coefficient1:i32 = cast (byte &. 15uy <: u8) <: i32 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -780,10 +780,10 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 4uy coefficient1 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient2:i32 = cast ((byte >>! 4l <: u8) &. 15uy <: u8) <: i32 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -793,19 +793,19 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 4uy coefficient2 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           re)
   in
   re
 
 let deserialize_then_decompress_5_ (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact serialized (sz 5) <: Core.Slice.Iter.t_ChunksExact u8)
             <:
@@ -814,7 +814,7 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       re
       (fun re temp_1_ ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in
           let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in
@@ -822,7 +822,7 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
           let byte4:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in
           let byte5:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in
           let coefficient1:i32 = byte1 &. 31l in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -832,10 +832,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient1 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient2:i32 = ((byte2 &. 3l <: i32) <<! 3l <: i32) |. (byte1 >>! 5l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -845,10 +845,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient2 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient3:i32 = (byte2 >>! 2l <: i32) &. 31l in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -858,10 +858,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient3 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient4:i32 = ((byte3 &. 15l <: i32) <<! 1l <: i32) |. (byte2 >>! 7l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -871,10 +871,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient4 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient5:i32 = ((byte4 &. 1l <: i32) <<! 4l <: i32) |. (byte3 >>! 4l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -884,10 +884,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient5 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient6:i32 = (byte4 >>! 1l <: i32) &. 31l in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -897,10 +897,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient6 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient7:i32 = ((byte5 &. 7l <: i32) <<! 2l <: i32) |. (byte4 >>! 6l <: i32) in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -910,10 +910,10 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient7 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           let coefficient8:i32 = byte5 >>! 3l in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -923,18 +923,18 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
                 (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient8 <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           re)
   in
   re
 
 let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32))
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__iter (Rust_primitives.unsize serialized <: t_Slice u8)
                 <:
@@ -945,7 +945,7 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32))
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Iter u8))
       re
       (fun re temp_1_ ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i, byte:(usize & u8) = temp_1_ in
           Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
                     Core.Ops.Range.f_start = sz 0;
@@ -957,10 +957,10 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32))
               Core.Ops.Range.t_Range usize)
             re
             (fun re j ->
-                let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+                let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                 let j:usize = j in
                 let coefficient_compressed:i32 = cast ((byte >>! j <: u8) &. 1uy <: u8) <: i32 in
-                let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+                let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                   {
                     re with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -970,18 +970,18 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32))
                       (Libcrux.Kem.Kyber.Compress.decompress_q 1uy coefficient_compressed <: i32)
                   }
                   <:
-                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+                  Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                 in
                 re)
           <:
-          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
   in
   re
 
 let deserialize_then_decompress_ring_element_u
       (v_COMPRESSION_FACTOR: usize)
       (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
   | 10ul -> deserialize_then_decompress_10_ serialized
@@ -995,7 +995,7 @@ let deserialize_then_decompress_ring_element_u
 let deserialize_then_decompress_ring_element_v
       (v_COMPRESSION_FACTOR: usize)
       (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
   match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
   | 4ul -> deserialize_then_decompress_4_ serialized
@@ -1007,12 +1007,12 @@ let deserialize_then_decompress_ring_element_v
         Rust_primitives.Hax.t_Never)
 
 let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
   let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
               (Core.Slice.impl__chunks_exact serialized (sz 3) <: Core.Slice.Iter.t_ChunksExact u8)
             <:
@@ -1021,12 +1021,12 @@ let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8)
         Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8))
       re
       (fun re temp_1_ ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = re in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
           let i, bytes:(usize & t_Slice u8) = temp_1_ in
           let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in
           let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in
           let byte3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1036,9 +1036,9 @@ let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8)
                 (((byte2 &. 15l <: i32) <<! 8l <: i32) |. (byte1 &. 255l <: i32) <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -1048,14 +1048,13 @@ let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8)
                 ((byte3 <<! 4l <: i32) |. ((byte2 >>! 4l <: i32) &. 15l <: i32) <: i32)
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
           re)
   in
   re
 
-let serialize_uncompressed_ring_element
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
+let serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
     : t_Array u8 (sz 384) =
   let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in
   let serialized:t_Array u8 (sz 384) =
diff --git a/src/kem/kyber/arithmetic.rs b/src/kem/kyber/arithmetic.rs
index 5ea1e871f..ae9604358 100644
--- a/src/kem/kyber/arithmetic.rs
+++ b/src/kem/kyber/arithmetic.rs
@@ -71,20 +71,20 @@ pub(crate) fn to_unsigned_representative(fe: KyberFieldElement) -> u16 {
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub struct KyberPolynomialRingElement {
+pub struct PolynomialRingElement {
     pub(crate) coefficients: [KyberFieldElement; COEFFICIENTS_IN_RING_ELEMENT],
 }
 
-impl KyberPolynomialRingElement {
+impl PolynomialRingElement {
     pub const ZERO: Self = Self {
         coefficients: [0i32; 256], // FIXME: hax issue, this is COEFFICIENTS_IN_RING_ELEMENT
     };
 }
 
 pub(crate) fn add_to_ring_element<const K: usize>(
-    mut lhs: KyberPolynomialRingElement,
-    rhs: &KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
+    mut lhs: PolynomialRingElement,
+    rhs: &PolynomialRingElement,
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(lhs.coefficients.into_iter().all(|coefficient| coefficient
         >= ((K as i32) - 1) * -FIELD_MODULUS
         && coefficient <= ((K as i32) - 1) * FIELD_MODULUS));
diff --git a/src/kem/kyber/ind_cpa.rs b/src/kem/kyber/ind_cpa.rs
index 018aa675c..d1d795c72 100644
--- a/src/kem/kyber/ind_cpa.rs
+++ b/src/kem/kyber/ind_cpa.rs
@@ -1,5 +1,5 @@
 use super::{
-    arithmetic::KyberPolynomialRingElement,
+    arithmetic::PolynomialRingElement,
     constants::{
         BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, REJECTION_SAMPLING_SEED_SIZE,
         SHARED_SECRET_SIZE,
@@ -38,8 +38,8 @@ pub fn serialize_secret_key<const SERIALIZED_KEY_LEN: usize>(
 fn sample_matrix_A<const K: usize>(
     seed: [u8; 34],
     transpose: bool,
-) -> ([[KyberPolynomialRingElement; K]; K], Option<Error>) {
-    let mut A_transpose = [[KyberPolynomialRingElement::ZERO; K]; K];
+) -> ([[PolynomialRingElement; K]; K], Option<Error>) {
+    let mut A_transpose = [[PolynomialRingElement::ZERO; K]; K];
     let mut sampling_A_error = None;
 
     for i in 0..K {
@@ -71,9 +71,9 @@ fn sample_matrix_A<const K: usize>(
 #[inline(always)]
 fn cbd<const K: usize, const ETA: usize, const ETA_RANDOMNESS_SIZE: usize>(
     mut prf_input: [u8; 33],
-) -> ([KyberPolynomialRingElement; K], u8) {
+) -> ([PolynomialRingElement; K], u8) {
     let mut domain_separator = 0;
-    let mut re_as_ntt = [KyberPolynomialRingElement::ZERO; K];
+    let mut re_as_ntt = [PolynomialRingElement::ZERO; K];
     for i in 0..K {
         prf_input[32] = domain_separator;
         domain_separator += 1;
@@ -87,7 +87,7 @@ fn cbd<const K: usize, const ETA: usize, const ETA_RANDOMNESS_SIZE: usize>(
 }
 
 fn serialize_key<const K: usize, const OUT_LEN: usize>(
-    key: [KyberPolynomialRingElement; K],
+    key: [PolynomialRingElement; K],
 ) -> [u8; OUT_LEN] {
     let mut out = [0u8; OUT_LEN];
 
@@ -118,8 +118,8 @@ pub(crate) fn generate_keypair<
 ) {
     let mut prf_input: [u8; 33] = [0; 33];
 
-    let mut secret_as_ntt = [KyberPolynomialRingElement::ZERO; K];
-    let mut error_as_ntt = [KyberPolynomialRingElement::ZERO; K];
+    let mut secret_as_ntt = [PolynomialRingElement::ZERO; K];
+    let mut error_as_ntt = [PolynomialRingElement::ZERO; K];
 
     // N := 0
     let mut domain_separator: u8 = 0;
@@ -187,7 +187,7 @@ fn compress_then_encode_u<
     const COMPRESSION_FACTOR: usize,
     const BLOCK_LEN: usize,
 >(
-    input: [KyberPolynomialRingElement; K],
+    input: [PolynomialRingElement; K],
 ) -> [u8; OUT_LEN] {
     let mut out = [0u8; OUT_LEN];
     for (i, re) in input.into_iter().enumerate() {
@@ -219,7 +219,7 @@ pub(crate) fn encrypt<
     randomness: &[u8],
 ) -> (super::KyberCiphertext<CIPHERTEXT_SIZE>, Option<Error>) {
     // tˆ := Decode_12(pk)
-    let mut t_as_ntt = [KyberPolynomialRingElement::ZERO; K];
+    let mut t_as_ntt = [PolynomialRingElement::ZERO; K];
     for (i, t_as_ntt_bytes) in public_key[..T_AS_NTT_ENCODED_SIZE]
         .chunks_exact(BYTES_PER_RING_ELEMENT)
         .enumerate()
@@ -248,7 +248,7 @@ pub(crate) fn encrypt<
     //     e1[i] := CBD_{η2}(PRF(r,N))
     //     N := N + 1
     // end for
-    let mut error_1 = [KyberPolynomialRingElement::ZERO; K];
+    let mut error_1 = [PolynomialRingElement::ZERO; K];
     for i in 0..K {
         prf_input[32] = domain_separator;
         domain_separator += 1;
@@ -291,8 +291,8 @@ pub(crate) fn decrypt<
     secret_key: &[u8],
     ciphertext: &super::KyberCiphertext<CIPHERTEXT_SIZE>,
 ) -> [u8; SHARED_SECRET_SIZE] {
-    let mut u_as_ntt = [KyberPolynomialRingElement::ZERO; K];
-    let mut secret_as_ntt = [KyberPolynomialRingElement::ZERO; K];
+    let mut u_as_ntt = [PolynomialRingElement::ZERO; K];
+    let mut secret_as_ntt = [PolynomialRingElement::ZERO; K];
 
     // u := Decompress_q(Decode_{d_u}(c), d_u)
     for (i, u_bytes) in ciphertext.value[..VECTOR_U_ENCODED_SIZE]
diff --git a/src/kem/kyber/matrix.rs b/src/kem/kyber/matrix.rs
index fae50d290..7820e36dd 100644
--- a/src/kem/kyber/matrix.rs
+++ b/src/kem/kyber/matrix.rs
@@ -1,17 +1,15 @@
 use super::{
-    arithmetic::{
-        add_to_ring_element, barrett_reduce, montgomery_reduce, KyberPolynomialRingElement,
-    },
+    arithmetic::{add_to_ring_element, barrett_reduce, montgomery_reduce, PolynomialRingElement},
     ntt::{invert_ntt_montgomery, ntt_multiply},
 };
 
 #[inline(always)]
 pub(in crate::kem::kyber) fn compute_message<const K: usize>(
-    v: &KyberPolynomialRingElement,
-    secret_as_ntt: &[KyberPolynomialRingElement; K],
-    u_as_ntt: &[KyberPolynomialRingElement; K],
-) -> KyberPolynomialRingElement {
-    let mut result = KyberPolynomialRingElement::ZERO;
+    v: &PolynomialRingElement,
+    secret_as_ntt: &[PolynomialRingElement; K],
+    u_as_ntt: &[PolynomialRingElement; K],
+) -> PolynomialRingElement {
+    let mut result = PolynomialRingElement::ZERO;
 
     for i in 0..K {
         let product = ntt_multiply(&secret_as_ntt[i], &u_as_ntt[i]);
@@ -31,12 +29,12 @@ pub(in crate::kem::kyber) fn compute_message<const K: usize>(
 // v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1)
 #[inline(always)]
 pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
-    t_as_ntt: &[KyberPolynomialRingElement; K],
-    r_as_ntt: &[KyberPolynomialRingElement; K],
-    error_2: &KyberPolynomialRingElement,
-    message: &KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
-    let mut result = KyberPolynomialRingElement::ZERO;
+    t_as_ntt: &[PolynomialRingElement; K],
+    r_as_ntt: &[PolynomialRingElement; K],
+    error_2: &PolynomialRingElement,
+    message: &PolynomialRingElement,
+) -> PolynomialRingElement {
+    let mut result = PolynomialRingElement::ZERO;
 
     for i in 0..K {
         let product = ntt_multiply(&t_as_ntt[i], &r_as_ntt[i]);
@@ -58,11 +56,11 @@ pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
 // u := NTT^{-1}(AˆT ◦ rˆ) + e_1
 #[inline(always)]
 pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
-    a_as_ntt: &[[KyberPolynomialRingElement; K]; K],
-    r_as_ntt: &[KyberPolynomialRingElement; K],
-    error_1: &[KyberPolynomialRingElement; K],
-) -> [KyberPolynomialRingElement; K] {
-    let mut result = [KyberPolynomialRingElement::ZERO; K];
+    a_as_ntt: &[[PolynomialRingElement; K]; K],
+    r_as_ntt: &[PolynomialRingElement; K],
+    error_1: &[PolynomialRingElement; K],
+) -> [PolynomialRingElement; K] {
+    let mut result = [PolynomialRingElement::ZERO; K];
 
     for (i, row) in a_as_ntt.iter().enumerate() {
         for (j, a_element) in row.iter().enumerate() {
@@ -86,11 +84,11 @@ pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
 #[inline(always)]
 #[allow(non_snake_case)]
 pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
-    matrix_A: &[[KyberPolynomialRingElement; K]; K],
-    s_as_ntt: &[KyberPolynomialRingElement; K],
-    error_as_ntt: &[KyberPolynomialRingElement; K],
-) -> [KyberPolynomialRingElement; K] {
-    let mut result = [KyberPolynomialRingElement::ZERO; K];
+    matrix_A: &[[PolynomialRingElement; K]; K],
+    s_as_ntt: &[PolynomialRingElement; K],
+    error_as_ntt: &[PolynomialRingElement; K],
+) -> [PolynomialRingElement; K] {
+    let mut result = [PolynomialRingElement::ZERO; K];
 
     for (i, row) in matrix_A.iter().enumerate() {
         for (j, matrix_element) in row.iter().enumerate() {
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index ebb24e486..bd5b150ff 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,7 +1,5 @@
 use super::{
-    arithmetic::{
-        barrett_reduce, montgomery_reduce, KyberFieldElement, KyberPolynomialRingElement,
-    },
+    arithmetic::{barrett_reduce, montgomery_reduce, KyberFieldElement, PolynomialRingElement},
     constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
 
@@ -45,8 +43,8 @@ macro_rules! ntt_at_layer {
 // ntt_representation().
 #[inline(always)]
 pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
-    mut re: KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
+    mut re: PolynomialRingElement,
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
@@ -84,8 +82,8 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
 
 #[inline(always)]
 pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize>(
-    mut re: KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
+    mut re: PolynomialRingElement,
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
@@ -108,8 +106,8 @@ pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usi
 
 #[inline(always)]
 pub(crate) fn invert_ntt_montgomery<const K: usize>(
-    mut re: KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
+    mut re: PolynomialRingElement,
+) -> PolynomialRingElement {
     // We only ever call this function after matrix/vector multiplication
     hax_lib::debug_assert!(re
         .coefficients
@@ -179,9 +177,9 @@ fn ntt_multiply_binomials(
 
 #[inline(always)]
 pub(crate) fn ntt_multiply(
-    left: &KyberPolynomialRingElement,
-    right: &KyberPolynomialRingElement,
-) -> KyberPolynomialRingElement {
+    left: &PolynomialRingElement,
+    right: &PolynomialRingElement,
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(left
         .coefficients
         .into_iter()
@@ -191,7 +189,7 @@ pub(crate) fn ntt_multiply(
         .into_iter()
         .all(|coefficient| coefficient >= -3329 && coefficient <= 3329));
 
-    let mut out = KyberPolynomialRingElement::ZERO;
+    let mut out = PolynomialRingElement::ZERO;
 
     for i in 0..(COEFFICIENTS_IN_RING_ELEMENT / 4) {
         let product = ntt_multiply_binomials(
diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs
index 384e915b2..acbba2f60 100644
--- a/src/kem/kyber/sampling.rs
+++ b/src/kem/kyber/sampling.rs
@@ -1,14 +1,14 @@
 use super::{
-    arithmetic::{KyberFieldElement, KyberPolynomialRingElement},
+    arithmetic::{KyberFieldElement, PolynomialRingElement},
     constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
     Error,
 };
 
 pub fn sample_from_uniform_distribution<const SEED_SIZE: usize>(
     randomness: [u8; SEED_SIZE],
-) -> (KyberPolynomialRingElement, Option<Error>) {
+) -> (PolynomialRingElement, Option<Error>) {
     let mut sampled_coefficients: usize = 0;
-    let mut out: KyberPolynomialRingElement = KyberPolynomialRingElement::ZERO;
+    let mut out: PolynomialRingElement = PolynomialRingElement::ZERO;
 
     // This loop is written the way it is since reasoning about early returns,
     // breaks, and continues is not well supported in Fstar at the moment. Rewriting
@@ -48,8 +48,8 @@ pub fn sample_from_uniform_distribution<const SEED_SIZE: usize>(
     }
 }
 
-fn sample_from_binomial_distribution_2(randomness: &[u8]) -> KyberPolynomialRingElement {
-    let mut sampled: KyberPolynomialRingElement = KyberPolynomialRingElement::ZERO;
+fn sample_from_binomial_distribution_2(randomness: &[u8]) -> PolynomialRingElement {
+    let mut sampled: PolynomialRingElement = PolynomialRingElement::ZERO;
 
     for (chunk_number, byte_chunk) in randomness.chunks_exact(4).enumerate() {
         let random_bits_as_u32: u32 = (byte_chunk[0] as u32)
@@ -78,8 +78,8 @@ fn sample_from_binomial_distribution_2(randomness: &[u8]) -> KyberPolynomialRing
     sampled
 }
 
-fn sample_from_binomial_distribution_3(randomness: &[u8]) -> KyberPolynomialRingElement {
-    let mut sampled: KyberPolynomialRingElement = KyberPolynomialRingElement::ZERO;
+fn sample_from_binomial_distribution_3(randomness: &[u8]) -> PolynomialRingElement {
+    let mut sampled: PolynomialRingElement = PolynomialRingElement::ZERO;
 
     for (chunk_number, byte_chunk) in randomness.chunks_exact(3).enumerate() {
         let random_bits_as_u24: u32 =
@@ -110,7 +110,7 @@ fn sample_from_binomial_distribution_3(randomness: &[u8]) -> KyberPolynomialRing
 #[inline(always)]
 pub(super) fn sample_from_binomial_distribution<const ETA: usize>(
     randomness: &[u8],
-) -> KyberPolynomialRingElement {
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(randomness.len() == ETA * 64);
 
     match ETA as u32 {
diff --git a/src/kem/kyber/serialize.rs b/src/kem/kyber/serialize.rs
index c6bcbb215..96a364759 100644
--- a/src/kem/kyber/serialize.rs
+++ b/src/kem/kyber/serialize.rs
@@ -1,12 +1,12 @@
 use super::{
-    arithmetic::{to_unsigned_representative, KyberFieldElement, KyberPolynomialRingElement},
+    arithmetic::{to_unsigned_representative, KyberFieldElement, PolynomialRingElement},
     compress::{compress_q, decompress_q},
     constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE},
 };
 
 #[inline(always)]
 pub(super) fn compress_then_serialize_message(
-    re: KyberPolynomialRingElement,
+    re: PolynomialRingElement,
 ) -> [u8; SHARED_SECRET_SIZE] {
     let mut serialized = [0u8; SHARED_SECRET_SIZE];
 
@@ -38,8 +38,8 @@ pub(super) fn compress_then_serialize_message(
 #[inline(always)]
 pub(super) fn deserialize_then_decompress_message(
     serialized: [u8; SHARED_SECRET_SIZE],
-) -> KyberPolynomialRingElement {
-    let mut re = KyberPolynomialRingElement::ZERO;
+) -> PolynomialRingElement {
+    let mut re = PolynomialRingElement::ZERO;
 
     for (i, byte) in serialized.iter().enumerate() {
         for j in 0..8 {
@@ -53,7 +53,7 @@ pub(super) fn deserialize_then_decompress_message(
 
 #[inline(always)]
 pub(super) fn serialize_uncompressed_ring_element(
-    re: KyberPolynomialRingElement,
+    re: PolynomialRingElement,
 ) -> [u8; BYTES_PER_RING_ELEMENT] {
     let mut serialized = [0u8; BYTES_PER_RING_ELEMENT];
 
@@ -69,12 +69,10 @@ pub(super) fn serialize_uncompressed_ring_element(
     serialized
 }
 #[inline(always)]
-pub(super) fn deserialize_to_uncompressed_ring_element(
-    serialized: &[u8],
-) -> KyberPolynomialRingElement {
+pub(super) fn deserialize_to_uncompressed_ring_element(serialized: &[u8]) -> PolynomialRingElement {
     hax_lib::debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT);
 
-    let mut re = KyberPolynomialRingElement::ZERO;
+    let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(3).enumerate() {
         let byte1 = bytes[0] as KyberFieldElement;
@@ -89,9 +87,7 @@ pub(super) fn deserialize_to_uncompressed_ring_element(
 }
 
 #[inline(always)]
-fn compress_then_serialize_10<const OUT_LEN: usize>(
-    re: KyberPolynomialRingElement,
-) -> [u8; OUT_LEN] {
+fn compress_then_serialize_10<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(4).enumerate() {
@@ -113,9 +109,7 @@ fn compress_then_serialize_10<const OUT_LEN: usize>(
     serialized
 }
 #[inline(always)]
-fn compress_then_serialize_11<const OUT_LEN: usize>(
-    re: KyberPolynomialRingElement,
-) -> [u8; OUT_LEN] {
+fn compress_then_serialize_11<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
@@ -148,7 +142,7 @@ pub(super) fn compress_then_serialize_ring_element_u<
     const COMPRESSION_FACTOR: usize,
     const OUT_LEN: usize,
 >(
-    re: KyberPolynomialRingElement,
+    re: PolynomialRingElement,
 ) -> [u8; OUT_LEN] {
     hax_lib::debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN);
 
@@ -160,9 +154,7 @@ pub(super) fn compress_then_serialize_ring_element_u<
 }
 
 #[inline(always)]
-fn compress_then_serialize_4<const OUT_LEN: usize>(
-    re: KyberPolynomialRingElement,
-) -> [u8; OUT_LEN] {
+fn compress_then_serialize_4<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(2).enumerate() {
@@ -176,9 +168,7 @@ fn compress_then_serialize_4<const OUT_LEN: usize>(
 }
 
 #[inline(always)]
-fn compress_then_serialize_5<const OUT_LEN: usize>(
-    re: KyberPolynomialRingElement,
-) -> [u8; OUT_LEN] {
+fn compress_then_serialize_5<const OUT_LEN: usize>(re: PolynomialRingElement) -> [u8; OUT_LEN] {
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
@@ -207,7 +197,7 @@ pub(super) fn compress_then_serialize_ring_element_v<
     const COMPRESSION_FACTOR: usize,
     const OUT_LEN: usize,
 >(
-    re: KyberPolynomialRingElement,
+    re: PolynomialRingElement,
 ) -> [u8; OUT_LEN] {
     hax_lib::debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN);
 
@@ -219,10 +209,10 @@ pub(super) fn compress_then_serialize_ring_element_v<
 }
 
 #[inline(always)]
-fn deserialize_then_decompress_10(serialized: &[u8]) -> KyberPolynomialRingElement {
+fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement {
     hax_lib::debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8);
 
-    let mut re = KyberPolynomialRingElement::ZERO;
+    let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
         let byte1 = bytes[0] as KyberFieldElement;
@@ -247,10 +237,10 @@ fn deserialize_then_decompress_10(serialized: &[u8]) -> KyberPolynomialRingEleme
     re
 }
 #[inline(always)]
-fn deserialize_then_decompress_11(serialized: &[u8]) -> KyberPolynomialRingElement {
+fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement {
     hax_lib::debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8);
 
-    let mut re = KyberPolynomialRingElement::ZERO;
+    let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(11).enumerate() {
         let byte1 = bytes[0] as KyberFieldElement;
@@ -295,7 +285,7 @@ fn deserialize_then_decompress_11(serialized: &[u8]) -> KyberPolynomialRingEleme
 #[inline(always)]
 pub(super) fn deserialize_then_decompress_ring_element_u<const COMPRESSION_FACTOR: usize>(
     serialized: &[u8],
-) -> KyberPolynomialRingElement {
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(
         serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8
     );
@@ -308,10 +298,10 @@ pub(super) fn deserialize_then_decompress_ring_element_u<const COMPRESSION_FACTO
 }
 
 #[inline(always)]
-fn deserialize_then_decompress_4(serialized: &[u8]) -> KyberPolynomialRingElement {
+fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement {
     hax_lib::debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8);
 
-    let mut re = KyberPolynomialRingElement::ZERO;
+    let mut re = PolynomialRingElement::ZERO;
 
     for (i, byte) in serialized.iter().enumerate() {
         let coefficient1 = (byte & 0x0F) as KyberFieldElement;
@@ -324,10 +314,10 @@ fn deserialize_then_decompress_4(serialized: &[u8]) -> KyberPolynomialRingElemen
     re
 }
 #[inline(always)]
-fn deserialize_then_decompress_5(serialized: &[u8]) -> KyberPolynomialRingElement {
+fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement {
     hax_lib::debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8);
 
-    let mut re = KyberPolynomialRingElement::ZERO;
+    let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
         let byte1 = bytes[0] as KyberFieldElement;
@@ -366,7 +356,7 @@ fn deserialize_then_decompress_5(serialized: &[u8]) -> KyberPolynomialRingElemen
 #[inline(always)]
 pub(super) fn deserialize_then_decompress_ring_element_v<const COMPRESSION_FACTOR: usize>(
     serialized: &[u8],
-) -> KyberPolynomialRingElement {
+) -> PolynomialRingElement {
     hax_lib::debug_assert!(
         serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8
     );

From 0e4d1824b5db0f3e3ca25da886658af77fe215a0 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 18:09:12 -0500
Subject: [PATCH 03/24] KyberFieldElement -> FieldElement.

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          |  2 +-
 src/kem/kyber/arithmetic.rs                   | 10 ++--
 src/kem/kyber/compress.rs                     | 10 ++--
 src/kem/kyber/ntt.rs                          | 10 ++--
 src/kem/kyber/sampling.rs                     | 10 ++--
 src/kem/kyber/serialize.rs                    | 56 +++++++++----------
 6 files changed, 49 insertions(+), 49 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index 25cc8e7dd..5365aa875 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -4,7 +4,7 @@ open Core
 open FStar.Mul
 
 unfold
-let t_KyberFieldElement = i32
+let t_FieldElement = i32
 
 let v_BARRETT_MULTIPLIER: i64 = 20159L
 
diff --git a/src/kem/kyber/arithmetic.rs b/src/kem/kyber/arithmetic.rs
index ae9604358..71de8cb8b 100644
--- a/src/kem/kyber/arithmetic.rs
+++ b/src/kem/kyber/arithmetic.rs
@@ -1,6 +1,6 @@
 use super::constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS};
 
-pub(crate) type KyberFieldElement = i32;
+pub(crate) type FieldElement = i32;
 
 const MONTGOMERY_SHIFT: u8 = 16;
 const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT;
@@ -17,7 +17,7 @@ const BARRETT_MULTIPLIER: i64 = 20159; // floor((BARRETT_R / FIELD_MODULUS) + 0.
 
 #[cfg_attr(hax, hax_lib_macros::requires((i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))]
-pub(crate) fn barrett_reduce(value: KyberFieldElement) -> KyberFieldElement {
+pub(crate) fn barrett_reduce(value: FieldElement) -> FieldElement {
     hax_lib::debug_assert!(
         i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R,
         "value is {value}"
@@ -40,7 +40,7 @@ const INVERSE_OF_MODULUS_MOD_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMER
 
 #[cfg_attr(hax, hax_lib_macros::requires(value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))]
-pub(crate) fn montgomery_reduce(value: KyberFieldElement) -> KyberFieldElement {
+pub(crate) fn montgomery_reduce(value: FieldElement) -> FieldElement {
     // This forces hax to extract code for MONTGOMERY_R before it extracts code
     // for this function. The removal of this line is being tracked in:
     // https://github.com/cryspen/libcrux/issues/134
@@ -65,14 +65,14 @@ pub(crate) fn montgomery_reduce(value: KyberFieldElement) -> KyberFieldElement {
 #[cfg_attr(hax, hax_lib_macros::requires(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < (FIELD_MODULUS as u16)))]
 #[inline(always)]
-pub(crate) fn to_unsigned_representative(fe: KyberFieldElement) -> u16 {
+pub(crate) fn to_unsigned_representative(fe: FieldElement) -> u16 {
     hax_lib::debug_assert!(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS);
     (fe + (FIELD_MODULUS & (fe >> 31))) as u16
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct PolynomialRingElement {
-    pub(crate) coefficients: [KyberFieldElement; COEFFICIENTS_IN_RING_ELEMENT],
+    pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_RING_ELEMENT],
 }
 
 impl PolynomialRingElement {
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index dc0b84603..b01e85493 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -1,4 +1,4 @@
-use super::{arithmetic::KyberFieldElement, constants::FIELD_MODULUS};
+use super::{arithmetic::FieldElement, constants::FIELD_MODULUS};
 
 #[cfg_attr(hax, hax_lib_macros::requires(n > 0 && n <= 11))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < 2u32.pow(n.into())))]
@@ -11,7 +11,7 @@ fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
 
 #[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && fe <= (FIELD_MODULUS as u16)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
-pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> KyberFieldElement {
+pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> FieldElement {
     hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
     hax_lib::debug_assert!(fe <= (FIELD_MODULUS as u16));
 
@@ -19,12 +19,12 @@ pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> KyberFieldElement {
     compressed += FIELD_MODULUS as u32;
     compressed /= (FIELD_MODULUS << 1) as u32;
 
-    get_n_least_significant_bits(coefficient_bits, compressed) as KyberFieldElement
+    get_n_least_significant_bits(coefficient_bits, compressed) as FieldElement
 }
 
 #[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < FIELD_MODULUS))]
-pub(super) fn decompress_q(coefficient_bits: u8, fe: KyberFieldElement) -> KyberFieldElement {
+pub(super) fn decompress_q(coefficient_bits: u8, fe: FieldElement) -> FieldElement {
     hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
     hax_lib::debug_assert!(fe >= 0 && fe <= 2i32.pow(coefficient_bits as u32));
 
@@ -32,5 +32,5 @@ pub(super) fn decompress_q(coefficient_bits: u8, fe: KyberFieldElement) -> Kyber
     decompressed = (decompressed << 1) + (1 << coefficient_bits);
     decompressed >>= coefficient_bits + 1;
 
-    decompressed as KyberFieldElement
+    decompressed as FieldElement
 }
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index bd5b150ff..04b1d583b 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,9 +1,9 @@
 use super::{
-    arithmetic::{barrett_reduce, montgomery_reduce, KyberFieldElement, PolynomialRingElement},
+    arithmetic::{barrett_reduce, montgomery_reduce, FieldElement, PolynomialRingElement},
     constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
 
-const ZETAS_MONTGOMERY_DOMAIN: [KyberFieldElement; 128] = [
+const ZETAS_MONTGOMERY_DOMAIN: [FieldElement; 128] = [
     -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468,
     573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571,
     1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469,
@@ -165,10 +165,10 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
 
 #[inline(always)]
 fn ntt_multiply_binomials(
-    (a0, a1): (KyberFieldElement, KyberFieldElement),
-    (b0, b1): (KyberFieldElement, KyberFieldElement),
+    (a0, a1): (FieldElement, FieldElement),
+    (b0, b1): (FieldElement, FieldElement),
     zeta: i32,
-) -> (KyberFieldElement, KyberFieldElement) {
+) -> (FieldElement, FieldElement) {
     (
         montgomery_reduce(a0 * b0 + montgomery_reduce(a1 * b1) * zeta),
         montgomery_reduce(a0 * b1 + a1 * b0),
diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs
index acbba2f60..78636ca1a 100644
--- a/src/kem/kyber/sampling.rs
+++ b/src/kem/kyber/sampling.rs
@@ -1,5 +1,5 @@
 use super::{
-    arithmetic::{KyberFieldElement, PolynomialRingElement},
+    arithmetic::{FieldElement, PolynomialRingElement},
     constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
     Error,
 };
@@ -63,8 +63,8 @@ fn sample_from_binomial_distribution_2(randomness: &[u8]) -> PolynomialRingEleme
         let coin_toss_outcomes = even_bits + odd_bits;
 
         for outcome_set in (0..u32::BITS).step_by(4) {
-            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as KyberFieldElement;
-            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as KyberFieldElement;
+            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as FieldElement;
+            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as FieldElement;
 
             let offset = (outcome_set >> 2) as usize;
             sampled.coefficients[8 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -92,8 +92,8 @@ fn sample_from_binomial_distribution_3(randomness: &[u8]) -> PolynomialRingEleme
         let coin_toss_outcomes = first_bits + second_bits + third_bits;
 
         for outcome_set in (0..24).step_by(6) {
-            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as KyberFieldElement;
-            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as KyberFieldElement;
+            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as FieldElement;
+            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as FieldElement;
 
             let offset = (outcome_set / 6) as usize;
             sampled.coefficients[4 * chunk_number + offset] = outcome_1 - outcome_2;
diff --git a/src/kem/kyber/serialize.rs b/src/kem/kyber/serialize.rs
index 96a364759..be3fd702a 100644
--- a/src/kem/kyber/serialize.rs
+++ b/src/kem/kyber/serialize.rs
@@ -1,5 +1,5 @@
 use super::{
-    arithmetic::{to_unsigned_representative, KyberFieldElement, PolynomialRingElement},
+    arithmetic::{to_unsigned_representative, FieldElement, PolynomialRingElement},
     compress::{compress_q, decompress_q},
     constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE},
 };
@@ -43,7 +43,7 @@ pub(super) fn deserialize_then_decompress_message(
 
     for (i, byte) in serialized.iter().enumerate() {
         for j in 0..8 {
-            let coefficient_compressed = ((byte >> j) & 0x1) as KyberFieldElement;
+            let coefficient_compressed = ((byte >> j) & 0x1) as FieldElement;
             re.coefficients[8 * i + j] = decompress_q(1, coefficient_compressed);
         }
     }
@@ -75,9 +75,9 @@ pub(super) fn deserialize_to_uncompressed_ring_element(serialized: &[u8]) -> Pol
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(3).enumerate() {
-        let byte1 = bytes[0] as KyberFieldElement;
-        let byte2 = bytes[1] as KyberFieldElement;
-        let byte3 = bytes[2] as KyberFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
 
         re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF);
         re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F);
@@ -215,11 +215,11 @@ fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte1 = bytes[0] as KyberFieldElement;
-        let byte2 = bytes[1] as KyberFieldElement;
-        let byte3 = bytes[2] as KyberFieldElement;
-        let byte4 = bytes[3] as KyberFieldElement;
-        let byte5 = bytes[4] as KyberFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
+        let byte4 = bytes[3] as FieldElement;
+        let byte5 = bytes[4] as FieldElement;
 
         let coefficient1 = (byte2 & 0x03) << 8 | (byte1 & 0xFF);
         re.coefficients[4 * i] = decompress_q(10, coefficient1);
@@ -243,17 +243,17 @@ fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(11).enumerate() {
-        let byte1 = bytes[0] as KyberFieldElement;
-        let byte2 = bytes[1] as KyberFieldElement;
-        let byte3 = bytes[2] as KyberFieldElement;
-        let byte4 = bytes[3] as KyberFieldElement;
-        let byte5 = bytes[4] as KyberFieldElement;
-        let byte6 = bytes[5] as KyberFieldElement;
-        let byte7 = bytes[6] as KyberFieldElement;
-        let byte8 = bytes[7] as KyberFieldElement;
-        let byte9 = bytes[8] as KyberFieldElement;
-        let byte10 = bytes[9] as KyberFieldElement;
-        let byte11 = bytes[10] as KyberFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
+        let byte4 = bytes[3] as FieldElement;
+        let byte5 = bytes[4] as FieldElement;
+        let byte6 = bytes[5] as FieldElement;
+        let byte7 = bytes[6] as FieldElement;
+        let byte8 = bytes[7] as FieldElement;
+        let byte9 = bytes[8] as FieldElement;
+        let byte10 = bytes[9] as FieldElement;
+        let byte11 = bytes[10] as FieldElement;
 
         let coefficient1 = (byte2 & 0x7) << 8 | byte1;
         re.coefficients[8 * i] = decompress_q(11, coefficient1);
@@ -304,10 +304,10 @@ fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, byte) in serialized.iter().enumerate() {
-        let coefficient1 = (byte & 0x0F) as KyberFieldElement;
+        let coefficient1 = (byte & 0x0F) as FieldElement;
         re.coefficients[2 * i] = decompress_q(4, coefficient1);
 
-        let coefficient2 = ((byte >> 4) & 0x0F) as KyberFieldElement;
+        let coefficient2 = ((byte >> 4) & 0x0F) as FieldElement;
         re.coefficients[2 * i + 1] = decompress_q(4, coefficient2);
     }
 
@@ -320,11 +320,11 @@ fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte1 = bytes[0] as KyberFieldElement;
-        let byte2 = bytes[1] as KyberFieldElement;
-        let byte3 = bytes[2] as KyberFieldElement;
-        let byte4 = bytes[3] as KyberFieldElement;
-        let byte5 = bytes[4] as KyberFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
+        let byte4 = bytes[3] as FieldElement;
+        let byte5 = bytes[4] as FieldElement;
 
         let coefficient1 = byte1 & 0x1F;
         re.coefficients[8 * i] = decompress_q(5, coefficient1);

From 81369f8ce7fe8f013fd47c644bbf33fa82337738 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 18:39:57 -0500
Subject: [PATCH 04/24] Added some types related to montgomery reduction

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          |  10 ++
 .../extraction/Libcrux.Kem.Kyber.Matrix.fst   |   9 +-
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 104 +++++++-----------
 src/kem/kyber/arithmetic.rs                   |  21 ++++
 src/kem/kyber/matrix.rs                       |   7 +-
 src/kem/kyber/ntt.rs                          |  14 ++-
 6 files changed, 87 insertions(+), 78 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index 5365aa875..6802f819e 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -6,6 +6,12 @@ open FStar.Mul
 unfold
 let t_FieldElement = i32
 
+unfold
+let t_FieldElementTimesMontgomeryR = i32
+
+unfold
+let t_MontgomeryFieldElement = i32
+
 let v_BARRETT_MULTIPLIER: i64 = 20159L
 
 let v_BARRETT_SHIFT: i64 = 26L
@@ -80,6 +86,10 @@ let montgomery_reduce (value: i32)
   let value_high:i32 = value >>! v_MONTGOMERY_SHIFT in
   value_high -! c
 
+let montgomery_multiply_fe_by_fer (fe fer: i32) : i32 = montgomery_reduce (fe *! fer <: i32)
+
+let to_standard_domain (mfe: i32) : i32 = montgomery_reduce (mfe *! 1353l <: i32)
+
 let to_unsigned_representative (fe: i32)
     : Prims.Pure u16
       (requires
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
index d1a9d6756..258ee8a03 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
@@ -93,13 +93,10 @@ let compute_As_plus_e
                 in
                 let j:usize = j in
                 let coefficient_normal_form:i32 =
-                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
+                  Libcrux.Kem.Kyber.Arithmetic.to_standard_domain ((result.[ i ]
                         <:
-                        i32) *!
-                      1353l
+                        Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+                        .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
                       <:
                       i32)
                 in
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index 141ee1e5d..06541d579 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -646,13 +646,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -713,13 +711,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -780,13 +776,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -847,13 +841,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -914,13 +906,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -981,13 +971,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1198,13 +1186,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1265,13 +1251,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1332,13 +1316,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1399,13 +1381,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1466,13 +1446,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1533,13 +1511,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1600,13 +1576,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((re
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                          <:
-                          i32) *!
-                        (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
+                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
diff --git a/src/kem/kyber/arithmetic.rs b/src/kem/kyber/arithmetic.rs
index 71de8cb8b..1b3c7e21e 100644
--- a/src/kem/kyber/arithmetic.rs
+++ b/src/kem/kyber/arithmetic.rs
@@ -1,7 +1,17 @@
 use super::constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS};
 
+// if this is 'x'
+// let 'fe' be the shorthand for this type
 pub(crate) type FieldElement = i32;
 
+// this is congruent to xR^{-1} mod FIELD_MODULUS
+// let 'mfe' be the shorthand for this type
+pub(crate) type MontgomeryFieldElement = i32;
+
+// this is congruent to xR mod FIELD_MODULUS
+// let 'fer' be the shorthand for this type
+pub(crate) type FieldElementTimesMontgomeryR = i32;
+
 const MONTGOMERY_SHIFT: u8 = 16;
 const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT;
 
@@ -62,6 +72,17 @@ pub(crate) fn montgomery_reduce(value: FieldElement) -> FieldElement {
     value_high - c
 }
 
+pub(crate) fn montgomery_multiply_fe_by_fer(
+    fe: FieldElement,
+    fer: FieldElementTimesMontgomeryR,
+) -> FieldElement {
+    montgomery_reduce(fe * fer)
+}
+
+pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> FieldElement {
+    montgomery_reduce(mfe * 1353)
+}
+
 #[cfg_attr(hax, hax_lib_macros::requires(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < (FIELD_MODULUS as u16)))]
 #[inline(always)]
diff --git a/src/kem/kyber/matrix.rs b/src/kem/kyber/matrix.rs
index 7820e36dd..423ab97a6 100644
--- a/src/kem/kyber/matrix.rs
+++ b/src/kem/kyber/matrix.rs
@@ -1,5 +1,8 @@
 use super::{
-    arithmetic::{add_to_ring_element, barrett_reduce, montgomery_reduce, PolynomialRingElement},
+    arithmetic::{
+        add_to_ring_element, barrett_reduce, montgomery_reduce, to_standard_domain,
+        PolynomialRingElement,
+    },
     ntt::{invert_ntt_montgomery, ntt_multiply},
 };
 
@@ -99,7 +102,7 @@ pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
         for j in 0..result[i].coefficients.len() {
             // The coefficients are of the form aR^{-1} mod q, which means
             // calling to_montgomery_domain() on them should return a mod q.
-            let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1353);
+            let coefficient_normal_form = to_standard_domain(result[i].coefficients[j]);
 
             result[i].coefficients[j] =
                 barrett_reduce(coefficient_normal_form + error_as_ntt[i].coefficients[j])
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 04b1d583b..05ec0589f 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,9 +1,12 @@
 use super::{
-    arithmetic::{barrett_reduce, montgomery_reduce, FieldElement, PolynomialRingElement},
+    arithmetic::{
+        barrett_reduce, montgomery_multiply_fe_by_fer, montgomery_reduce, FieldElement,
+        FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
+    },
     constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
 
-const ZETAS_MONTGOMERY_DOMAIN: [FieldElement; 128] = [
+const ZETAS_MONTGOMERY_DOMAIN: [FieldElementTimesMontgomeryR; 128] = [
     -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468,
     573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571,
     1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469,
@@ -24,8 +27,9 @@ macro_rules! ntt_at_layer {
             let offset = round * step * 2;
 
             for j in offset..offset + step {
-                let t = montgomery_reduce(
-                    $re.coefficients[j + step] * ZETAS_MONTGOMERY_DOMAIN[$zeta_i],
+                let t = montgomery_multiply_fe_by_fer(
+                    $re.coefficients[j + step],
+                    ZETAS_MONTGOMERY_DOMAIN[$zeta_i],
                 );
                 $re.coefficients[j + step] = $re.coefficients[j] - t;
                 $re.coefficients[j] = $re.coefficients[j] + t;
@@ -168,7 +172,7 @@ fn ntt_multiply_binomials(
     (a0, a1): (FieldElement, FieldElement),
     (b0, b1): (FieldElement, FieldElement),
     zeta: i32,
-) -> (FieldElement, FieldElement) {
+) -> (MontgomeryFieldElement, MontgomeryFieldElement) {
     (
         montgomery_reduce(a0 * b0 + montgomery_reduce(a1 * b1) * zeta),
         montgomery_reduce(a0 * b1 + a1 * b0),

From 0f79ee79abcf10f39f4d00f1533d68bb56482f5a Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 18:44:45 -0500
Subject: [PATCH 05/24] FieldElement -> StandardFieldElement.

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          |  6 +-
 src/kem/kyber/arithmetic.rs                   | 16 +++---
 src/kem/kyber/compress.rs                     | 10 ++--
 src/kem/kyber/ntt.rs                          |  7 ++-
 src/kem/kyber/sampling.rs                     | 12 ++--
 src/kem/kyber/serialize.rs                    | 56 +++++++++----------
 6 files changed, 55 insertions(+), 52 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index 6802f819e..9fce49c2d 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -3,15 +3,15 @@ module Libcrux.Kem.Kyber.Arithmetic
 open Core
 open FStar.Mul
 
-unfold
-let t_FieldElement = i32
-
 unfold
 let t_FieldElementTimesMontgomeryR = i32
 
 unfold
 let t_MontgomeryFieldElement = i32
 
+unfold
+let t_StandardFieldElement = i32
+
 let v_BARRETT_MULTIPLIER: i64 = 20159L
 
 let v_BARRETT_SHIFT: i64 = 26L
diff --git a/src/kem/kyber/arithmetic.rs b/src/kem/kyber/arithmetic.rs
index 1b3c7e21e..8f93da6a4 100644
--- a/src/kem/kyber/arithmetic.rs
+++ b/src/kem/kyber/arithmetic.rs
@@ -2,7 +2,7 @@ use super::constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS};
 
 // if this is 'x'
 // let 'fe' be the shorthand for this type
-pub(crate) type FieldElement = i32;
+pub(crate) type StandardFieldElement = i32;
 
 // this is congruent to xR^{-1} mod FIELD_MODULUS
 // let 'mfe' be the shorthand for this type
@@ -27,7 +27,7 @@ const BARRETT_MULTIPLIER: i64 = 20159; // floor((BARRETT_R / FIELD_MODULUS) + 0.
 
 #[cfg_attr(hax, hax_lib_macros::requires((i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))]
-pub(crate) fn barrett_reduce(value: FieldElement) -> FieldElement {
+pub(crate) fn barrett_reduce(value: StandardFieldElement) -> StandardFieldElement {
     hax_lib::debug_assert!(
         i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R,
         "value is {value}"
@@ -50,7 +50,7 @@ const INVERSE_OF_MODULUS_MOD_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMER
 
 #[cfg_attr(hax, hax_lib_macros::requires(value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))]
-pub(crate) fn montgomery_reduce(value: FieldElement) -> FieldElement {
+pub(crate) fn montgomery_reduce(value: StandardFieldElement) -> StandardFieldElement {
     // This forces hax to extract code for MONTGOMERY_R before it extracts code
     // for this function. The removal of this line is being tracked in:
     // https://github.com/cryspen/libcrux/issues/134
@@ -73,27 +73,27 @@ pub(crate) fn montgomery_reduce(value: FieldElement) -> FieldElement {
 }
 
 pub(crate) fn montgomery_multiply_fe_by_fer(
-    fe: FieldElement,
+    fe: StandardFieldElement,
     fer: FieldElementTimesMontgomeryR,
-) -> FieldElement {
+) -> StandardFieldElement {
     montgomery_reduce(fe * fer)
 }
 
-pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> FieldElement {
+pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> StandardFieldElement {
     montgomery_reduce(mfe * 1353)
 }
 
 #[cfg_attr(hax, hax_lib_macros::requires(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < (FIELD_MODULUS as u16)))]
 #[inline(always)]
-pub(crate) fn to_unsigned_representative(fe: FieldElement) -> u16 {
+pub(crate) fn to_unsigned_representative(fe: StandardFieldElement) -> u16 {
     hax_lib::debug_assert!(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS);
     (fe + (FIELD_MODULUS & (fe >> 31))) as u16
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct PolynomialRingElement {
-    pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_RING_ELEMENT],
+    pub(crate) coefficients: [StandardFieldElement; COEFFICIENTS_IN_RING_ELEMENT],
 }
 
 impl PolynomialRingElement {
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index b01e85493..ca3ca475e 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -1,4 +1,4 @@
-use super::{arithmetic::FieldElement, constants::FIELD_MODULUS};
+use super::{arithmetic::StandardFieldElement, constants::FIELD_MODULUS};
 
 #[cfg_attr(hax, hax_lib_macros::requires(n > 0 && n <= 11))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < 2u32.pow(n.into())))]
@@ -11,7 +11,7 @@ fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
 
 #[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && fe <= (FIELD_MODULUS as u16)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
-pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> FieldElement {
+pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> StandardFieldElement {
     hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
     hax_lib::debug_assert!(fe <= (FIELD_MODULUS as u16));
 
@@ -19,12 +19,12 @@ pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> FieldElement {
     compressed += FIELD_MODULUS as u32;
     compressed /= (FIELD_MODULUS << 1) as u32;
 
-    get_n_least_significant_bits(coefficient_bits, compressed) as FieldElement
+    get_n_least_significant_bits(coefficient_bits, compressed) as StandardFieldElement
 }
 
 #[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < FIELD_MODULUS))]
-pub(super) fn decompress_q(coefficient_bits: u8, fe: FieldElement) -> FieldElement {
+pub(super) fn decompress_q(coefficient_bits: u8, fe: StandardFieldElement) -> StandardFieldElement {
     hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
     hax_lib::debug_assert!(fe >= 0 && fe <= 2i32.pow(coefficient_bits as u32));
 
@@ -32,5 +32,5 @@ pub(super) fn decompress_q(coefficient_bits: u8, fe: FieldElement) -> FieldEleme
     decompressed = (decompressed << 1) + (1 << coefficient_bits);
     decompressed >>= coefficient_bits + 1;
 
-    decompressed as FieldElement
+    decompressed as StandardFieldElement
 }
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 05ec0589f..a4a37ae12 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,7 +1,8 @@
 use super::{
     arithmetic::{
-        barrett_reduce, montgomery_multiply_fe_by_fer, montgomery_reduce, FieldElement,
+        barrett_reduce, montgomery_multiply_fe_by_fer, montgomery_reduce,
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
+        StandardFieldElement,
     },
     constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
@@ -169,8 +170,8 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
 
 #[inline(always)]
 fn ntt_multiply_binomials(
-    (a0, a1): (FieldElement, FieldElement),
-    (b0, b1): (FieldElement, FieldElement),
+    (a0, a1): (StandardFieldElement, StandardFieldElement),
+    (b0, b1): (StandardFieldElement, StandardFieldElement),
     zeta: i32,
 ) -> (MontgomeryFieldElement, MontgomeryFieldElement) {
     (
diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs
index 78636ca1a..d8045df26 100644
--- a/src/kem/kyber/sampling.rs
+++ b/src/kem/kyber/sampling.rs
@@ -1,5 +1,5 @@
 use super::{
-    arithmetic::{FieldElement, PolynomialRingElement},
+    arithmetic::{PolynomialRingElement, StandardFieldElement},
     constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
     Error,
 };
@@ -63,8 +63,9 @@ fn sample_from_binomial_distribution_2(randomness: &[u8]) -> PolynomialRingEleme
         let coin_toss_outcomes = even_bits + odd_bits;
 
         for outcome_set in (0..u32::BITS).step_by(4) {
-            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as FieldElement;
-            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as FieldElement;
+            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as StandardFieldElement;
+            let outcome_2 =
+                ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as StandardFieldElement;
 
             let offset = (outcome_set >> 2) as usize;
             sampled.coefficients[8 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -92,8 +93,9 @@ fn sample_from_binomial_distribution_3(randomness: &[u8]) -> PolynomialRingEleme
         let coin_toss_outcomes = first_bits + second_bits + third_bits;
 
         for outcome_set in (0..24).step_by(6) {
-            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as FieldElement;
-            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as FieldElement;
+            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as StandardFieldElement;
+            let outcome_2 =
+                ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as StandardFieldElement;
 
             let offset = (outcome_set / 6) as usize;
             sampled.coefficients[4 * chunk_number + offset] = outcome_1 - outcome_2;
diff --git a/src/kem/kyber/serialize.rs b/src/kem/kyber/serialize.rs
index be3fd702a..bbf60dee2 100644
--- a/src/kem/kyber/serialize.rs
+++ b/src/kem/kyber/serialize.rs
@@ -1,5 +1,5 @@
 use super::{
-    arithmetic::{to_unsigned_representative, FieldElement, PolynomialRingElement},
+    arithmetic::{to_unsigned_representative, PolynomialRingElement, StandardFieldElement},
     compress::{compress_q, decompress_q},
     constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE},
 };
@@ -43,7 +43,7 @@ pub(super) fn deserialize_then_decompress_message(
 
     for (i, byte) in serialized.iter().enumerate() {
         for j in 0..8 {
-            let coefficient_compressed = ((byte >> j) & 0x1) as FieldElement;
+            let coefficient_compressed = ((byte >> j) & 0x1) as StandardFieldElement;
             re.coefficients[8 * i + j] = decompress_q(1, coefficient_compressed);
         }
     }
@@ -75,9 +75,9 @@ pub(super) fn deserialize_to_uncompressed_ring_element(serialized: &[u8]) -> Pol
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(3).enumerate() {
-        let byte1 = bytes[0] as FieldElement;
-        let byte2 = bytes[1] as FieldElement;
-        let byte3 = bytes[2] as FieldElement;
+        let byte1 = bytes[0] as StandardFieldElement;
+        let byte2 = bytes[1] as StandardFieldElement;
+        let byte3 = bytes[2] as StandardFieldElement;
 
         re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF);
         re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F);
@@ -215,11 +215,11 @@ fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte1 = bytes[0] as FieldElement;
-        let byte2 = bytes[1] as FieldElement;
-        let byte3 = bytes[2] as FieldElement;
-        let byte4 = bytes[3] as FieldElement;
-        let byte5 = bytes[4] as FieldElement;
+        let byte1 = bytes[0] as StandardFieldElement;
+        let byte2 = bytes[1] as StandardFieldElement;
+        let byte3 = bytes[2] as StandardFieldElement;
+        let byte4 = bytes[3] as StandardFieldElement;
+        let byte5 = bytes[4] as StandardFieldElement;
 
         let coefficient1 = (byte2 & 0x03) << 8 | (byte1 & 0xFF);
         re.coefficients[4 * i] = decompress_q(10, coefficient1);
@@ -243,17 +243,17 @@ fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(11).enumerate() {
-        let byte1 = bytes[0] as FieldElement;
-        let byte2 = bytes[1] as FieldElement;
-        let byte3 = bytes[2] as FieldElement;
-        let byte4 = bytes[3] as FieldElement;
-        let byte5 = bytes[4] as FieldElement;
-        let byte6 = bytes[5] as FieldElement;
-        let byte7 = bytes[6] as FieldElement;
-        let byte8 = bytes[7] as FieldElement;
-        let byte9 = bytes[8] as FieldElement;
-        let byte10 = bytes[9] as FieldElement;
-        let byte11 = bytes[10] as FieldElement;
+        let byte1 = bytes[0] as StandardFieldElement;
+        let byte2 = bytes[1] as StandardFieldElement;
+        let byte3 = bytes[2] as StandardFieldElement;
+        let byte4 = bytes[3] as StandardFieldElement;
+        let byte5 = bytes[4] as StandardFieldElement;
+        let byte6 = bytes[5] as StandardFieldElement;
+        let byte7 = bytes[6] as StandardFieldElement;
+        let byte8 = bytes[7] as StandardFieldElement;
+        let byte9 = bytes[8] as StandardFieldElement;
+        let byte10 = bytes[9] as StandardFieldElement;
+        let byte11 = bytes[10] as StandardFieldElement;
 
         let coefficient1 = (byte2 & 0x7) << 8 | byte1;
         re.coefficients[8 * i] = decompress_q(11, coefficient1);
@@ -304,10 +304,10 @@ fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, byte) in serialized.iter().enumerate() {
-        let coefficient1 = (byte & 0x0F) as FieldElement;
+        let coefficient1 = (byte & 0x0F) as StandardFieldElement;
         re.coefficients[2 * i] = decompress_q(4, coefficient1);
 
-        let coefficient2 = ((byte >> 4) & 0x0F) as FieldElement;
+        let coefficient2 = ((byte >> 4) & 0x0F) as StandardFieldElement;
         re.coefficients[2 * i + 1] = decompress_q(4, coefficient2);
     }
 
@@ -320,11 +320,11 @@ fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte1 = bytes[0] as FieldElement;
-        let byte2 = bytes[1] as FieldElement;
-        let byte3 = bytes[2] as FieldElement;
-        let byte4 = bytes[3] as FieldElement;
-        let byte5 = bytes[4] as FieldElement;
+        let byte1 = bytes[0] as StandardFieldElement;
+        let byte2 = bytes[1] as StandardFieldElement;
+        let byte3 = bytes[2] as StandardFieldElement;
+        let byte4 = bytes[3] as StandardFieldElement;
+        let byte5 = bytes[4] as StandardFieldElement;
 
         let coefficient1 = byte1 & 0x1F;
         re.coefficients[8 * i] = decompress_q(5, coefficient1);

From c9bd0db4674de392e607fa707f4cf172a8c09383 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 19:05:50 -0500
Subject: [PATCH 06/24] More annotating with type aliases.

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          |  2 +-
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 72 +++++++++----------
 src/kem/kyber/arithmetic.rs                   |  2 +-
 src/kem/kyber/ntt.rs                          | 16 ++---
 4 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index 9fce49c2d..0d9ce48a4 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -86,7 +86,7 @@ let montgomery_reduce (value: i32)
   let value_high:i32 = value >>! v_MONTGOMERY_SHIFT in
   value_high -! c
 
-let montgomery_multiply_fe_by_fer (fe fer: i32) : i32 = montgomery_reduce (fe *! fer <: i32)
+let montgomery_multiply_sfe_by_fer (fe fer: i32) : i32 = montgomery_reduce (fe *! fer <: i32)
 
 let to_standard_domain (mfe: i32) : i32 = montgomery_reduce (mfe *! 1353l <: i32)
 
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index 06541d579..fde6e6bb8 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -3,7 +3,7 @@ module Libcrux.Kem.Kyber.Ntt
 open Core
 open FStar.Mul
 
-let v_ZETAS_MONTGOMERY_DOMAIN: t_Array i32 (sz 128) =
+let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 128) =
   let list =
     [
       (-1044l); (-758l); (-359l); (-1517l); 1493l; 1422l; 287l; 202l; (-171l); 622l; 1577l; 182l;
@@ -93,7 +93,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -164,7 +164,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -235,7 +235,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -306,7 +306,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -377,7 +377,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -448,7 +448,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -519,7 +519,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -646,11 +646,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -711,11 +711,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -776,11 +776,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -841,11 +841,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -906,11 +906,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -971,11 +971,11 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1063,7 +1063,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingEleme
                   i32)
                 <:
                 (i32 & i32))
-              (v_ZETAS_MONTGOMERY_DOMAIN.[ sz 64 +! i <: usize ] <: i32)
+              (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
           in
           let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             {
@@ -1117,7 +1117,7 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingEleme
                   i32)
                 <:
                 (i32 & i32))
-              (Core.Ops.Arith.Neg.neg (v_ZETAS_MONTGOMERY_DOMAIN.[ sz 64 +! i <: usize ] <: i32)
+              (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
                 <:
                 i32)
           in
@@ -1186,11 +1186,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1251,11 +1251,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1316,11 +1316,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1381,11 +1381,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1446,11 +1446,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1511,11 +1511,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -1576,11 +1576,11 @@ let ntt_vector_u
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
                   let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
                         <:
                         i32)
-                      (v_ZETAS_MONTGOMERY_DOMAIN.[ zeta_i ] <: i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
diff --git a/src/kem/kyber/arithmetic.rs b/src/kem/kyber/arithmetic.rs
index 8f93da6a4..0d98413b2 100644
--- a/src/kem/kyber/arithmetic.rs
+++ b/src/kem/kyber/arithmetic.rs
@@ -72,7 +72,7 @@ pub(crate) fn montgomery_reduce(value: StandardFieldElement) -> StandardFieldEle
     value_high - c
 }
 
-pub(crate) fn montgomery_multiply_fe_by_fer(
+pub(crate) fn montgomery_multiply_sfe_by_fer(
     fe: StandardFieldElement,
     fer: FieldElementTimesMontgomeryR,
 ) -> StandardFieldElement {
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index a4a37ae12..338382e8a 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,13 +1,13 @@
 use super::{
     arithmetic::{
-        barrett_reduce, montgomery_multiply_fe_by_fer, montgomery_reduce,
+        barrett_reduce, montgomery_multiply_sfe_by_fer, montgomery_reduce,
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
         StandardFieldElement,
     },
     constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
 
-const ZETAS_MONTGOMERY_DOMAIN: [FieldElementTimesMontgomeryR; 128] = [
+const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
     -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468,
     573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571,
     1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469,
@@ -28,9 +28,9 @@ macro_rules! ntt_at_layer {
             let offset = round * step * 2;
 
             for j in offset..offset + step {
-                let t = montgomery_multiply_fe_by_fer(
+                let t = montgomery_multiply_sfe_by_fer(
                     $re.coefficients[j + step],
-                    ZETAS_MONTGOMERY_DOMAIN[$zeta_i],
+                    ZETAS_TIMES_MONTGOMERY_R[$zeta_i],
                 );
                 $re.coefficients[j + step] = $re.coefficients[j] - t;
                 $re.coefficients[j] = $re.coefficients[j] + t;
@@ -137,7 +137,7 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
                     // 2^7 in one go in the end.
                     re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step];
                     re.coefficients[j + step] =
-                        montgomery_reduce(a_minus_b * ZETAS_MONTGOMERY_DOMAIN[zeta_i]);
+                        montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[zeta_i]);
                 }
             }
         };
@@ -172,7 +172,7 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
 fn ntt_multiply_binomials(
     (a0, a1): (StandardFieldElement, StandardFieldElement),
     (b0, b1): (StandardFieldElement, StandardFieldElement),
-    zeta: i32,
+    zeta: FieldElementTimesMontgomeryR,
 ) -> (MontgomeryFieldElement, MontgomeryFieldElement) {
     (
         montgomery_reduce(a0 * b0 + montgomery_reduce(a1 * b1) * zeta),
@@ -200,7 +200,7 @@ pub(crate) fn ntt_multiply(
         let product = ntt_multiply_binomials(
             (left.coefficients[4 * i], left.coefficients[4 * i + 1]),
             (right.coefficients[4 * i], right.coefficients[4 * i + 1]),
-            ZETAS_MONTGOMERY_DOMAIN[64 + i],
+            ZETAS_TIMES_MONTGOMERY_R[64 + i],
         );
         out.coefficients[4 * i] = product.0;
         out.coefficients[4 * i + 1] = product.1;
@@ -208,7 +208,7 @@ pub(crate) fn ntt_multiply(
         let product = ntt_multiply_binomials(
             (left.coefficients[4 * i + 2], left.coefficients[4 * i + 3]),
             (right.coefficients[4 * i + 2], right.coefficients[4 * i + 3]),
-            -ZETAS_MONTGOMERY_DOMAIN[64 + i],
+            -ZETAS_TIMES_MONTGOMERY_R[64 + i],
         );
         out.coefficients[4 * i + 2] = product.0;
         out.coefficients[4 * i + 3] = product.1;

From 710f698f966d4dd030ea2924cbee202e56d6b47e Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Mon, 20 Nov 2023 19:22:06 -0500
Subject: [PATCH 07/24] cbd -> sample_vector_cbd_then_ntt.

---
 .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst  | 123 ++----------------
 src/kem/kyber/ind_cpa.rs                      |  48 ++-----
 2 files changed, 26 insertions(+), 145 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
index fa7fd5bfd..c8aed2e60 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
@@ -32,9 +32,11 @@ let serialize_secret_key
       <:
       Libcrux.Kem.Kyber.Conversions.t_UpdatableArray v_SERIALIZED_KEY_LEN)
 
-let cbd (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) (prf_input: t_Array u8 (sz 33))
+let sample_vector_cbd_then_ntt
+      (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
+      (prf_input: t_Array u8 (sz 33))
+      (domain_separator: u8)
     : (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8) =
-  let domain_separator:u8 = 0uy in
   let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
   in
@@ -494,7 +496,7 @@ let encrypt
   in
   let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
     u8) =
-    cbd v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input
+    sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy
   in
   let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
@@ -621,115 +623,16 @@ let generate_keypair
       (Libcrux.Kem.Kyber.Conversions.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34))
       true
   in
-  let prf_input:t_Array u8 (sz 33) =
-    Rust_primitives.Hax.update_at prf_input
-      ({
-          Core.Ops.Range.f_start = sz 0;
-          Core.Ops.Range.f_end = Core.Slice.impl__len seed_for_secret_and_error <: usize
-        }
-        <:
-        Core.Ops.Range.t_Range usize)
-      (Core.Slice.impl__copy_from_slice (prf_input.[ {
-                Core.Ops.Range.f_start = sz 0;
-                Core.Ops.Range.f_end = Core.Slice.impl__len seed_for_secret_and_error <: usize
-              }
-              <:
-              Core.Ops.Range.t_Range usize ]
-            <:
-            t_Slice u8)
-          seed_for_secret_and_error
-        <:
-        t_Slice u8)
+  let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) =
+    Libcrux.Kem.Kyber.Conversions.into_padded_array (sz 33) seed_for_secret_and_error
   in
-  let domain_separator, prf_input, secret_as_ntt:(u8 & t_Array u8 (sz 33) &
-    t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = v_K
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (domain_separator, prf_input, secret_as_ntt
-        <:
-        (u8 & t_Array u8 (sz 33) & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
-      )
-      (fun temp_0_ i ->
-          let domain_separator, prf_input, secret_as_ntt:(u8 & t_Array u8 (sz 33) &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) =
-            temp_0_
-          in
-          let i:usize = i in
-          let prf_input:t_Array u8 (sz 33) =
-            Rust_primitives.Hax.update_at prf_input (sz 32) domain_separator
-          in
-          let domain_separator:u8 = domain_separator +! 1uy in
-          let (prf_output: t_Array u8 v_ETA1_RANDOMNESS_SIZE):t_Array u8 v_ETA1_RANDOMNESS_SIZE =
-            Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA1_RANDOMNESS_SIZE
-              (Rust_primitives.unsize prf_input <: t_Slice u8)
-          in
-          let secret:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA1
-              (Rust_primitives.unsize prf_output <: t_Slice u8)
-          in
-          let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at secret_as_ntt
-              i
-              (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element secret
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-          in
-          domain_separator, prf_input, secret_as_ntt
-          <:
-          (u8 & t_Array u8 (sz 33) &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))
+  let secret_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+      v_K &
+    u8) =
+    sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy
   in
-  let domain_separator, error_as_ntt, prf_input:(u8 &
-    t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
-    t_Array u8 (sz 33)) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = v_K
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (domain_separator, error_as_ntt, prf_input
-        <:
-        (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array u8 (sz 33))
-      )
-      (fun temp_0_ i ->
-          let domain_separator, error_as_ntt, prf_input:(u8 &
-            t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
-            t_Array u8 (sz 33)) =
-            temp_0_
-          in
-          let i:usize = i in
-          let prf_input:t_Array u8 (sz 33) =
-            Rust_primitives.Hax.update_at prf_input (sz 32) domain_separator
-          in
-          let domain_separator:u8 = domain_separator +! 1uy in
-          let (prf_output: t_Array u8 v_ETA1_RANDOMNESS_SIZE):t_Array u8 v_ETA1_RANDOMNESS_SIZE =
-            Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA1_RANDOMNESS_SIZE
-              (Rust_primitives.unsize prf_input <: t_Slice u8)
-          in
-          let error:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA1
-              (Rust_primitives.unsize prf_output <: t_Slice u8)
-          in
-          let error_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at error_as_ntt
-              i
-              (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element error
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-          in
-          domain_separator, error_as_ntt, prf_input
-          <:
-          (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K &
-            t_Array u8 (sz 33)))
+  let error_as_ntt, _:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8) =
+    sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input domain_separator
   in
   let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
     Libcrux.Kem.Kyber.Matrix.compute_As_plus_e v_K v_A_transpose secret_as_ntt error_as_ntt
diff --git a/src/kem/kyber/ind_cpa.rs b/src/kem/kyber/ind_cpa.rs
index d1d795c72..5c72e1793 100644
--- a/src/kem/kyber/ind_cpa.rs
+++ b/src/kem/kyber/ind_cpa.rs
@@ -69,10 +69,14 @@ fn sample_matrix_A<const K: usize>(
 }
 
 #[inline(always)]
-fn cbd<const K: usize, const ETA: usize, const ETA_RANDOMNESS_SIZE: usize>(
+fn sample_vector_cbd_then_ntt<
+    const K: usize,
+    const ETA: usize,
+    const ETA_RANDOMNESS_SIZE: usize,
+>(
     mut prf_input: [u8; 33],
+    mut domain_separator: u8,
 ) -> ([PolynomialRingElement; K], u8) {
-    let mut domain_separator = 0;
     let mut re_as_ntt = [PolynomialRingElement::ZERO; K];
     for i in 0..K {
         prf_input[32] = domain_separator;
@@ -130,38 +134,11 @@ pub(crate) fn generate_keypair<
 
     let (A_transpose, sampling_A_error) = sample_matrix_A(into_padded_array(seed_for_A), true);
 
-    // for i from 0 to k−1 do
-    //     s[i] := CBD_{η1}(PRF(σ, N))
-    //     N := N + 1
-    // end for
-    // sˆ := NTT(s)
-    prf_input[0..seed_for_secret_and_error.len()].copy_from_slice(seed_for_secret_and_error);
-
-    for i in 0..K {
-        prf_input[32] = domain_separator;
-        domain_separator += 1;
-
-        let prf_output: [u8; ETA1_RANDOMNESS_SIZE] = PRF(&prf_input);
-
-        let secret = sample_from_binomial_distribution::<ETA1>(&prf_output);
-
-        secret_as_ntt[i] = ntt_binomially_sampled_ring_element(secret);
-    }
-
-    // for i from 0 to k−1 do
-    //     e[i] := CBD_{η1}(PRF(σ, N))
-    //     N := N + 1
-    // end for
-    // eˆ := NTT(e)
-    for i in 0..K {
-        prf_input[32] = domain_separator;
-        domain_separator += 1;
-
-        let prf_output: [u8; ETA1_RANDOMNESS_SIZE] = PRF(&prf_input);
-
-        let error = sample_from_binomial_distribution::<ETA1>(&prf_output);
-        error_as_ntt[i] = ntt_binomially_sampled_ring_element(error);
-    }
+    let mut prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error);
+    let (secret_as_ntt, mut domain_separator) =
+        sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, 0);
+    let (error_as_ntt, _) =
+        sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, domain_separator);
 
     // tˆ := Aˆ ◦ sˆ + eˆ
     let t_as_ntt = compute_As_plus_e(&A_transpose, &secret_as_ntt, &error_as_ntt);
@@ -242,7 +219,8 @@ pub(crate) fn encrypt<
     // end for
     // rˆ := NTT(r)
     let mut prf_input: [u8; 33] = into_padded_array(randomness);
-    let (r_as_ntt, mut domain_separator) = cbd::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input);
+    let (r_as_ntt, mut domain_separator) =
+        sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, 0);
 
     // for i from 0 to k−1 do
     //     e1[i] := CBD_{η2}(PRF(r,N))

From 1da97adae907815eb0069c729502122b689a02fc Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Wed, 22 Nov 2023 10:22:42 -0500
Subject: [PATCH 08/24] Make message compression and decompression constant
 time.

---
 .../extraction/Libcrux.Kem.Kyber.Compress.fst |  20 ++-
 .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst  |   8 -
 .../Libcrux.Kem.Kyber.Serialize.fst           | 146 ++++++++++++------
 src/kem/kyber/compress.rs                     |  45 +++++-
 src/kem/kyber/ind_cpa.rs                      |  12 +-
 src/kem/kyber/serialize.rs                    | 136 ++++++++--------
 6 files changed, 230 insertions(+), 137 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
index 6dba52460..a5a565dd8 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
@@ -3,6 +3,15 @@ module Libcrux.Kem.Kyber.Compress
 open Core
 open FStar.Mul
 
+let compress_message_coefficient (fe: u16)
+    : Prims.Pure u8
+      (requires fe <. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
+      (fun _ -> Prims.l_True) =
+  let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in
+  let shifted_to_positive:i16 = (shifted >>! 15l <: i16) ^. shifted in
+  let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in
+  cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8
+
 let get_n_least_significant_bits (n: u8) (value: u32)
     : Prims.Pure u32
       (requires n >. 0uy && n <=. 11uy)
@@ -13,11 +22,11 @@ let get_n_least_significant_bits (n: u8) (value: u32)
   let _:Prims.unit = () <: Prims.unit in
   value &. ((1ul <<! n <: u32) -! 1ul <: u32)
 
-let compress_q (coefficient_bits: u8) (fe: u16)
+let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16)
     : Prims.Pure i32
       (requires
         coefficient_bits >. 0uy && coefficient_bits <=. 11uy &&
-        fe <=. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
+        fe <. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
       (ensures
         fun result ->
           let result:i32 = result in
@@ -34,7 +43,7 @@ let compress_q (coefficient_bits: u8) (fe: u16)
   in
   cast (get_n_least_significant_bits coefficient_bits compressed <: u32) <: i32
 
-let decompress_q (coefficient_bits: u8) (fe: i32)
+let decompress_ciphertext_coefficient (coefficient_bits: u8) (fe: i32)
     : Prims.Pure i32
       (requires
         coefficient_bits >. 0uy && coefficient_bits <=. 11uy && fe >=. 0l &&
@@ -51,3 +60,8 @@ let decompress_q (coefficient_bits: u8) (fe: i32)
   let decompressed:u32 = (decompressed <<! 1l <: u32) +! (1ul <<! coefficient_bits <: u32) in
   let decompressed:u32 = decompressed >>! (coefficient_bits +! 1uy <: u8) in
   cast (decompressed <: u32) <: i32
+
+let decompress_message_coefficient (fe: i32)
+    : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) =
+  (Core.Ops.Arith.Neg.neg fe <: i32) &.
+  ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32)
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
index c8aed2e60..0f3c80dc9 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
@@ -604,14 +604,6 @@ let generate_keypair
     : ((Libcrux.Kem.Kyber.Types.t_PrivateKey v_PRIVATE_KEY_SIZE &
         Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) &
       Core.Option.t_Option Libcrux.Kem.Kyber.Types.t_Error) =
-  let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = Rust_primitives.Hax.repeat 0uy (sz 33) in
-  let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
-  in
-  let error_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K
-  in
-  let (domain_separator: u8):u8 = 0uy in
   let hashed:t_Array u8 (sz 64) = Libcrux.Kem.Kyber.Hash_functions.v_G key_generation_seed in
   let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) =
     Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) (sz 32)
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
index e464c1e84..0333b963a 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
@@ -26,28 +26,28 @@ let compress_then_serialize_10_
           let serialized:t_Array u8 v_OUT_LEN = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient1:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 10uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient2:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 10uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient3:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 10uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient4:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 10uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ] <: i32
                   )
                 <:
@@ -114,56 +114,56 @@ let compress_then_serialize_11_
           let serialized:t_Array u8 v_OUT_LEN = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient1:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient2:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient3:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient4:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient5:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 4 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient6:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 5 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient7:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 6 ] <: i32
                   )
                 <:
                 u16)
           in
           let coefficient8:i32 =
-            Libcrux.Kem.Kyber.Compress.compress_q 11uy
+            Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy
               (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ] <: i32
                   )
                 <:
@@ -272,7 +272,7 @@ let compress_then_serialize_4_
           let serialized:t_Array u8 v_OUT_LEN = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient1:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 4uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 4uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ]
                         <:
                         i32)
@@ -284,7 +284,7 @@ let compress_then_serialize_4_
             u8
           in
           let coefficient2:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 4uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 4uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ]
                         <:
                         i32)
@@ -327,7 +327,7 @@ let compress_then_serialize_5_
           let serialized:t_Array u8 v_OUT_LEN = serialized in
           let i, coefficients:(usize & t_Slice i32) = temp_1_ in
           let coefficient1:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ]
                         <:
                         i32)
@@ -339,7 +339,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient2:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ]
                         <:
                         i32)
@@ -351,7 +351,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient3:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ]
                         <:
                         i32)
@@ -363,7 +363,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient4:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ]
                         <:
                         i32)
@@ -375,7 +375,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient5:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 4 ]
                         <:
                         i32)
@@ -387,7 +387,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient6:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 5 ]
                         <:
                         i32)
@@ -399,7 +399,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient7:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 6 ]
                         <:
                         i32)
@@ -411,7 +411,7 @@ let compress_then_serialize_5_
             u8
           in
           let coefficient8:u8 =
-            cast (Libcrux.Kem.Kyber.Compress.compress_q 5uy
+            cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy
                   (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ]
                         <:
                         i32)
@@ -490,15 +490,12 @@ let compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_Polynomi
                 let coefficient:u16 =
                   Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative coefficient
                 in
-                let coefficient_compressed:i32 =
-                  Libcrux.Kem.Kyber.Compress.compress_q 1uy coefficient
+                let coefficient_compressed:u8 =
+                  Libcrux.Kem.Kyber.Compress.compress_message_coefficient coefficient
                 in
                 Rust_primitives.Hax.update_at serialized
                   i
-                  ((serialized.[ i ] <: u8) |.
-                    ((cast (coefficient_compressed <: i32) <: u8) <<! j <: u8)
-                    <:
-                    u8))
+                  ((serialized.[ i ] <: u8) |. (coefficient_compressed <<! j <: u8) <: u8))
           <:
           t_Array u8 (sz 32))
   in
@@ -562,7 +559,9 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 4 *! i <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient1 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient1
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -575,7 +574,9 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 1 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient2 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient2
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -588,7 +589,9 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 2 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient3 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient3
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -601,7 +604,9 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 3 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 10uy coefficient4 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient4
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -646,7 +651,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 8 *! i <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient1 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient1
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -659,7 +666,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 1 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient2 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient2
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -675,7 +684,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 2 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient3 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient3
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -688,7 +699,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 3 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient4 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient4
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -701,7 +714,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 4 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient5 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient5
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -717,7 +732,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 5 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient6 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient6
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -730,7 +747,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 6 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient7 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient7
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -743,7 +762,9 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 7 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 11uy coefficient8 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient8
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -777,7 +798,9 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 2 *! i <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 4uy coefficient1 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 4uy coefficient1
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -790,7 +813,9 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 2 *! i <: usize) +! sz 1 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 4uy coefficient2 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 4uy coefficient2
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -829,7 +854,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 8 *! i <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient1 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient1
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -842,7 +869,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 1 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient2 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient2
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -855,7 +884,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 2 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient3 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient3
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -868,7 +899,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 3 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient4 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient4
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -881,7 +914,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 4 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient5 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient5
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -894,7 +929,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 5 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient6 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient6
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -907,7 +944,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 6 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient7 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient7
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -920,7 +959,9 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               =
               Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 7 <: usize)
-                (Libcrux.Kem.Kyber.Compress.decompress_q 5uy coefficient8 <: i32)
+                (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient8
+                  <:
+                  i32)
             }
             <:
             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -967,7 +1008,10 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32))
                     =
                     Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       ((sz 8 *! i <: usize) +! j <: usize)
-                      (Libcrux.Kem.Kyber.Compress.decompress_q 1uy coefficient_compressed <: i32)
+                      (Libcrux.Kem.Kyber.Compress.decompress_message_coefficient coefficient_compressed
+
+                        <:
+                        i32)
                   }
                   <:
                   Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index ca3ca475e..68d6db8ef 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -9,22 +9,61 @@ fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
     value & ((1 << n) - 1)
 }
 
-#[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && fe <= (FIELD_MODULUS as u16)))]
+// Return 1 if 833 <= fe <= 2496 and 0 otherwise.
+// The approach used in this function been taken from:
+// https://github.com/cloudflare/circl/blob/main/pke/kyber/internal/common/poly.go#L150
+#[cfg_attr(hax, hax_lib_macros::requires(fe < (FIELD_MODULUS as u16)))]
+pub(super) fn compress_message_coefficient(fe: u16) -> u8 {
+    // If 833 <= fe <= 2496,
+    // then -832 <= shifted <= 831
+    let shifted: i16 = 1664 - (fe as i16);
+
+    // If shifted < 0, then
+    // (shifted >> 15) ^ shifted = flip_bits(shifted) = -shifted - 1, and so
+    // if -832 <= shifted < 0 then 0 < shifted_positive <= 831
+    //
+    // If shifted >= 0 then
+    // (shifted >> 15) ^ shifted = shifted, and so
+    // if 0 <= shifted <= 831 then 0 <= shifted_positive <= 831
+    let shifted_to_positive = (shifted >> 15) ^ shifted;
+
+    let shifted_positive_in_range = shifted_to_positive - 832;
+
+    // If x <= 831, then x - 832 <= -1 => x - 832 < 0.
+    ((shifted_positive_in_range >> 15) & 1) as u8
+}
+
+#[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && fe < (FIELD_MODULUS as u16)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
-pub(super) fn compress_q(coefficient_bits: u8, fe: u16) -> StandardFieldElement {
+pub(super) fn compress_ciphertext_coefficient(
+    coefficient_bits: u8,
+    fe: u16,
+) -> StandardFieldElement {
     hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
     hax_lib::debug_assert!(fe <= (FIELD_MODULUS as u16));
 
     let mut compressed = (fe as u32) << (coefficient_bits + 1);
     compressed += FIELD_MODULUS as u32;
+
+    // N.B.: This division is not constant time since FIELD_MODULUS is prime.
+    // This is fine since we're compressing the coefficients of a public value
+    // (i.e. the ciphertext)
     compressed /= (FIELD_MODULUS << 1) as u32;
 
     get_n_least_significant_bits(coefficient_bits, compressed) as StandardFieldElement
 }
 
+#[cfg_attr(hax, hax_lib_macros::requires((fe == 0) || (fe == 1)))]
+pub(super) fn decompress_message_coefficient(fe: StandardFieldElement) -> StandardFieldElement {
+    -fe & ((FIELD_MODULUS + 1) / 2)
+}
+
 #[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < FIELD_MODULUS))]
-pub(super) fn decompress_q(coefficient_bits: u8, fe: StandardFieldElement) -> StandardFieldElement {
+pub(super) fn decompress_ciphertext_coefficient(
+    coefficient_bits: u8,
+    fe: StandardFieldElement,
+) -> StandardFieldElement {
     hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
     hax_lib::debug_assert!(fe >= 0 && fe <= 2i32.pow(coefficient_bits as u32));
 
diff --git a/src/kem/kyber/ind_cpa.rs b/src/kem/kyber/ind_cpa.rs
index 5c72e1793..6abd9b9f0 100644
--- a/src/kem/kyber/ind_cpa.rs
+++ b/src/kem/kyber/ind_cpa.rs
@@ -120,22 +120,14 @@ pub(crate) fn generate_keypair<
     ),
     Option<Error>,
 ) {
-    let mut prf_input: [u8; 33] = [0; 33];
-
-    let mut secret_as_ntt = [PolynomialRingElement::ZERO; K];
-    let mut error_as_ntt = [PolynomialRingElement::ZERO; K];
-
-    // N := 0
-    let mut domain_separator: u8 = 0;
-
     // (ρ,σ) := G(d)
     let hashed = G(key_generation_seed);
     let (seed_for_A, seed_for_secret_and_error) = hashed.split_at(32);
 
     let (A_transpose, sampling_A_error) = sample_matrix_A(into_padded_array(seed_for_A), true);
 
-    let mut prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error);
-    let (secret_as_ntt, mut domain_separator) =
+    let prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error);
+    let (secret_as_ntt, domain_separator) =
         sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, 0);
     let (error_as_ntt, _) =
         sample_vector_cbd_then_ntt::<K, ETA1, ETA1_RANDOMNESS_SIZE>(prf_input, domain_separator);
diff --git a/src/kem/kyber/serialize.rs b/src/kem/kyber/serialize.rs
index bbf60dee2..95e73f52c 100644
--- a/src/kem/kyber/serialize.rs
+++ b/src/kem/kyber/serialize.rs
@@ -1,6 +1,9 @@
 use super::{
     arithmetic::{to_unsigned_representative, PolynomialRingElement, StandardFieldElement},
-    compress::{compress_q, decompress_q},
+    compress::{
+        compress_ciphertext_coefficient, compress_message_coefficient,
+        decompress_ciphertext_coefficient, decompress_message_coefficient,
+    },
     constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE},
 };
 
@@ -14,22 +17,9 @@ pub(super) fn compress_then_serialize_message(
         for (j, coefficient) in coefficients.iter().enumerate() {
             let coefficient = to_unsigned_representative(*coefficient);
 
-            let coefficient_compressed = compress_q(1, coefficient);
-
-            // At this point, the following should hold for |coefficient_compressed|:
-            //
-            // if coefficient_compressed == 0 {
-            //     coefficient < 832 ||
-            //     (coefficient >= 2496 && coefficient < 4161)
-            // } else { // coefficient_compressed = 1
-            //     (coefficient >= 832 && coefficient < 2496) ||
-            //     (coefficient >= 4161 && coefficient < 5825)
-            // }
-            //
-            // TODO(xvzcf): When this is turned into an assertion, intermittent
-            // failures arise in the |modified_ciphertext| test. Figure out why.
-
-            serialized[i] |= (coefficient_compressed as u8) << j
+            let coefficient_compressed = compress_message_coefficient(coefficient);
+
+            serialized[i] |= coefficient_compressed << j
         }
     }
 
@@ -44,7 +34,7 @@ pub(super) fn deserialize_then_decompress_message(
     for (i, byte) in serialized.iter().enumerate() {
         for j in 0..8 {
             let coefficient_compressed = ((byte >> j) & 0x1) as StandardFieldElement;
-            re.coefficients[8 * i + j] = decompress_q(1, coefficient_compressed);
+            re.coefficients[8 * i + j] = decompress_message_coefficient(coefficient_compressed);
         }
     }
 
@@ -91,10 +81,14 @@ fn compress_then_serialize_10<const OUT_LEN: usize>(re: PolynomialRingElement) -
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(4).enumerate() {
-        let coefficient1 = compress_q(10, to_unsigned_representative(coefficients[0]));
-        let coefficient2 = compress_q(10, to_unsigned_representative(coefficients[1]));
-        let coefficient3 = compress_q(10, to_unsigned_representative(coefficients[2]));
-        let coefficient4 = compress_q(10, to_unsigned_representative(coefficients[3]));
+        let coefficient1 =
+            compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[0]));
+        let coefficient2 =
+            compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[1]));
+        let coefficient3 =
+            compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[2]));
+        let coefficient4 =
+            compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[3]));
 
         serialized[5 * i] = (coefficient1 & 0xFF) as u8;
         serialized[5 * i + 1] =
@@ -113,14 +107,22 @@ fn compress_then_serialize_11<const OUT_LEN: usize>(re: PolynomialRingElement) -
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
-        let coefficient1 = compress_q(11, to_unsigned_representative(coefficients[0]));
-        let coefficient2 = compress_q(11, to_unsigned_representative(coefficients[1]));
-        let coefficient3 = compress_q(11, to_unsigned_representative(coefficients[2]));
-        let coefficient4 = compress_q(11, to_unsigned_representative(coefficients[3]));
-        let coefficient5 = compress_q(11, to_unsigned_representative(coefficients[4]));
-        let coefficient6 = compress_q(11, to_unsigned_representative(coefficients[5]));
-        let coefficient7 = compress_q(11, to_unsigned_representative(coefficients[6]));
-        let coefficient8 = compress_q(11, to_unsigned_representative(coefficients[7]));
+        let coefficient1 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[0]));
+        let coefficient2 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[1]));
+        let coefficient3 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[2]));
+        let coefficient4 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[3]));
+        let coefficient5 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[4]));
+        let coefficient6 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[5]));
+        let coefficient7 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[6]));
+        let coefficient8 =
+            compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[7]));
 
         serialized[11 * i] = coefficient1 as u8;
         serialized[11 * i + 1] = ((coefficient2 & 0x1F) as u8) << 3 | ((coefficient1 >> 8) as u8);
@@ -158,8 +160,10 @@ fn compress_then_serialize_4<const OUT_LEN: usize>(re: PolynomialRingElement) ->
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(2).enumerate() {
-        let coefficient1 = compress_q(4, to_unsigned_representative(coefficients[0])) as u8;
-        let coefficient2 = compress_q(4, to_unsigned_representative(coefficients[1])) as u8;
+        let coefficient1 =
+            compress_ciphertext_coefficient(4, to_unsigned_representative(coefficients[0])) as u8;
+        let coefficient2 =
+            compress_ciphertext_coefficient(4, to_unsigned_representative(coefficients[1])) as u8;
 
         serialized[i] = (coefficient2 << 4) | coefficient1;
     }
@@ -172,14 +176,22 @@ fn compress_then_serialize_5<const OUT_LEN: usize>(re: PolynomialRingElement) ->
     let mut serialized = [0u8; OUT_LEN];
 
     for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() {
-        let coefficient1 = compress_q(5, to_unsigned_representative(coefficients[0])) as u8;
-        let coefficient2 = compress_q(5, to_unsigned_representative(coefficients[1])) as u8;
-        let coefficient3 = compress_q(5, to_unsigned_representative(coefficients[2])) as u8;
-        let coefficient4 = compress_q(5, to_unsigned_representative(coefficients[3])) as u8;
-        let coefficient5 = compress_q(5, to_unsigned_representative(coefficients[4])) as u8;
-        let coefficient6 = compress_q(5, to_unsigned_representative(coefficients[5])) as u8;
-        let coefficient7 = compress_q(5, to_unsigned_representative(coefficients[6])) as u8;
-        let coefficient8 = compress_q(5, to_unsigned_representative(coefficients[7])) as u8;
+        let coefficient1 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[0])) as u8;
+        let coefficient2 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[1])) as u8;
+        let coefficient3 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[2])) as u8;
+        let coefficient4 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[3])) as u8;
+        let coefficient5 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[4])) as u8;
+        let coefficient6 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[5])) as u8;
+        let coefficient7 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[6])) as u8;
+        let coefficient8 =
+            compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[7])) as u8;
 
         serialized[5 * i] = (coefficient2 & 0x7) << 5 | coefficient1;
         serialized[5 * i + 1] =
@@ -222,16 +234,16 @@ fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement {
         let byte5 = bytes[4] as StandardFieldElement;
 
         let coefficient1 = (byte2 & 0x03) << 8 | (byte1 & 0xFF);
-        re.coefficients[4 * i] = decompress_q(10, coefficient1);
+        re.coefficients[4 * i] = decompress_ciphertext_coefficient(10, coefficient1);
 
         let coefficient2 = (byte3 & 0x0F) << 6 | (byte2 >> 2);
-        re.coefficients[4 * i + 1] = decompress_q(10, coefficient2);
+        re.coefficients[4 * i + 1] = decompress_ciphertext_coefficient(10, coefficient2);
 
         let coefficient3 = (byte4 & 0x3F) << 4 | (byte3 >> 4);
-        re.coefficients[4 * i + 2] = decompress_q(10, coefficient3);
+        re.coefficients[4 * i + 2] = decompress_ciphertext_coefficient(10, coefficient3);
 
         let coefficient4 = (byte5 << 2) | (byte4 >> 6);
-        re.coefficients[4 * i + 3] = decompress_q(10, coefficient4);
+        re.coefficients[4 * i + 3] = decompress_ciphertext_coefficient(10, coefficient4);
     }
 
     re
@@ -256,28 +268,28 @@ fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement {
         let byte11 = bytes[10] as StandardFieldElement;
 
         let coefficient1 = (byte2 & 0x7) << 8 | byte1;
-        re.coefficients[8 * i] = decompress_q(11, coefficient1);
+        re.coefficients[8 * i] = decompress_ciphertext_coefficient(11, coefficient1);
 
         let coefficient2 = (byte3 & 0x3F) << 5 | (byte2 >> 3);
-        re.coefficients[8 * i + 1] = decompress_q(11, coefficient2);
+        re.coefficients[8 * i + 1] = decompress_ciphertext_coefficient(11, coefficient2);
 
         let coefficient3 = (byte5 & 0x1) << 10 | (byte4 << 2) | (byte3 >> 6);
-        re.coefficients[8 * i + 2] = decompress_q(11, coefficient3);
+        re.coefficients[8 * i + 2] = decompress_ciphertext_coefficient(11, coefficient3);
 
         let coefficient4 = (byte6 & 0xF) << 7 | (byte5 >> 1);
-        re.coefficients[8 * i + 3] = decompress_q(11, coefficient4);
+        re.coefficients[8 * i + 3] = decompress_ciphertext_coefficient(11, coefficient4);
 
         let coefficient5 = (byte7 & 0x7F) << 4 | (byte6 >> 4);
-        re.coefficients[8 * i + 4] = decompress_q(11, coefficient5);
+        re.coefficients[8 * i + 4] = decompress_ciphertext_coefficient(11, coefficient5);
 
         let coefficient6 = (byte9 & 0x3) << 9 | (byte8 << 1) | (byte7 >> 7);
-        re.coefficients[8 * i + 5] = decompress_q(11, coefficient6);
+        re.coefficients[8 * i + 5] = decompress_ciphertext_coefficient(11, coefficient6);
 
         let coefficient7 = (byte10 & 0x1F) << 6 | (byte9 >> 2);
-        re.coefficients[8 * i + 6] = decompress_q(11, coefficient7);
+        re.coefficients[8 * i + 6] = decompress_ciphertext_coefficient(11, coefficient7);
 
         let coefficient8 = (byte11 << 3) | (byte10 >> 5);
-        re.coefficients[8 * i + 7] = decompress_q(11, coefficient8);
+        re.coefficients[8 * i + 7] = decompress_ciphertext_coefficient(11, coefficient8);
     }
 
     re
@@ -305,10 +317,10 @@ fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement {
 
     for (i, byte) in serialized.iter().enumerate() {
         let coefficient1 = (byte & 0x0F) as StandardFieldElement;
-        re.coefficients[2 * i] = decompress_q(4, coefficient1);
+        re.coefficients[2 * i] = decompress_ciphertext_coefficient(4, coefficient1);
 
         let coefficient2 = ((byte >> 4) & 0x0F) as StandardFieldElement;
-        re.coefficients[2 * i + 1] = decompress_q(4, coefficient2);
+        re.coefficients[2 * i + 1] = decompress_ciphertext_coefficient(4, coefficient2);
     }
 
     re
@@ -327,28 +339,28 @@ fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement {
         let byte5 = bytes[4] as StandardFieldElement;
 
         let coefficient1 = byte1 & 0x1F;
-        re.coefficients[8 * i] = decompress_q(5, coefficient1);
+        re.coefficients[8 * i] = decompress_ciphertext_coefficient(5, coefficient1);
 
         let coefficient2 = (byte2 & 0x3) << 3 | (byte1 >> 5);
-        re.coefficients[8 * i + 1] = decompress_q(5, coefficient2);
+        re.coefficients[8 * i + 1] = decompress_ciphertext_coefficient(5, coefficient2);
 
         let coefficient3 = (byte2 >> 2) & 0x1F;
-        re.coefficients[8 * i + 2] = decompress_q(5, coefficient3);
+        re.coefficients[8 * i + 2] = decompress_ciphertext_coefficient(5, coefficient3);
 
         let coefficient4 = ((byte3 & 0xF) << 1) | (byte2 >> 7);
-        re.coefficients[8 * i + 3] = decompress_q(5, coefficient4);
+        re.coefficients[8 * i + 3] = decompress_ciphertext_coefficient(5, coefficient4);
 
         let coefficient5 = ((byte4 & 1) << 4) | (byte3 >> 4);
-        re.coefficients[8 * i + 4] = decompress_q(5, coefficient5);
+        re.coefficients[8 * i + 4] = decompress_ciphertext_coefficient(5, coefficient5);
 
         let coefficient6 = (byte4 >> 1) & 0x1F;
-        re.coefficients[8 * i + 5] = decompress_q(5, coefficient6);
+        re.coefficients[8 * i + 5] = decompress_ciphertext_coefficient(5, coefficient6);
 
         let coefficient7 = ((byte5 & 0x7) << 2) | (byte4 >> 6);
-        re.coefficients[8 * i + 6] = decompress_q(5, coefficient7);
+        re.coefficients[8 * i + 6] = decompress_ciphertext_coefficient(5, coefficient7);
 
         let coefficient8 = byte5 >> 3;
-        re.coefficients[8 * i + 7] = decompress_q(5, coefficient8);
+        re.coefficients[8 * i + 7] = decompress_ciphertext_coefficient(5, coefficient8);
     }
 
     re

From 24be1ba9c6be4e78247c064cd56e5a9e2d1b0b23 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Wed, 22 Nov 2023 10:44:36 -0500
Subject: [PATCH 09/24] Refine preconditions in compress.

---
 .../extraction/Libcrux.Kem.Kyber.Compress.fst |  9 +++++---
 src/kem/kyber/compress.rs                     | 22 ++++++++++++++-----
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
index a5a565dd8..08754594d 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
@@ -14,7 +14,7 @@ let compress_message_coefficient (fe: u16)
 
 let get_n_least_significant_bits (n: u8) (value: u32)
     : Prims.Pure u32
-      (requires n >. 0uy && n <=. 11uy)
+      (requires n =. 4uy || n =. 5uy || n =. 10uy || n =. 11uy)
       (ensures
         fun result ->
           let result:u32 = result in
@@ -25,7 +25,8 @@ let get_n_least_significant_bits (n: u8) (value: u32)
 let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16)
     : Prims.Pure i32
       (requires
-        coefficient_bits >. 0uy && coefficient_bits <=. 11uy &&
+        (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy ||
+        coefficient_bits =. 11uy) &&
         fe <. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
       (ensures
         fun result ->
@@ -46,7 +47,9 @@ let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16)
 let decompress_ciphertext_coefficient (coefficient_bits: u8) (fe: i32)
     : Prims.Pure i32
       (requires
-        coefficient_bits >. 0uy && coefficient_bits <=. 11uy && fe >=. 0l &&
+        (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy ||
+        coefficient_bits =. 11uy) &&
+        fe >=. 0l &&
         fe <. (Core.Num.impl__i32__pow 2l (cast (coefficient_bits <: u8) <: u32) <: i32))
       (ensures
         fun result ->
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index 68d6db8ef..6b2a917a1 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -1,10 +1,10 @@
 use super::{arithmetic::StandardFieldElement, constants::FIELD_MODULUS};
 
-#[cfg_attr(hax, hax_lib_macros::requires(n > 0 && n <= 11))]
+#[cfg_attr(hax, hax_lib_macros::requires(n == 4 || n == 5 || n == 10 || n == 11))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < 2u32.pow(n.into())))]
 #[inline(always)]
 fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
-    hax_lib::debug_assert!(n > 0 && n <= 11);
+    hax_lib::debug_assert!(n == 4 || n == 5 || n == 10 || n == 11);
 
     value & ((1 << n) - 1)
 }
@@ -33,13 +33,18 @@ pub(super) fn compress_message_coefficient(fe: u16) -> u8 {
     ((shifted_positive_in_range >> 15) & 1) as u8
 }
 
-#[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && fe < (FIELD_MODULUS as u16)))]
+#[cfg_attr(hax, hax_lib_macros::requires((coefficient_bits == 4 || coefficient_bits == 5 || coefficient_bits == 10 || coefficient_bits == 11) && fe < (FIELD_MODULUS as u16)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
 pub(super) fn compress_ciphertext_coefficient(
     coefficient_bits: u8,
     fe: u16,
 ) -> StandardFieldElement {
-    hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
+    hax_lib::debug_assert!(
+        coefficient_bits == 4
+            || coefficient_bits == 5
+            || coefficient_bits == 10
+            || coefficient_bits == 11
+    );
     hax_lib::debug_assert!(fe <= (FIELD_MODULUS as u16));
 
     let mut compressed = (fe as u32) << (coefficient_bits + 1);
@@ -58,13 +63,18 @@ pub(super) fn decompress_message_coefficient(fe: StandardFieldElement) -> Standa
     -fe & ((FIELD_MODULUS + 1) / 2)
 }
 
-#[cfg_attr(hax, hax_lib_macros::requires(coefficient_bits > 0 && coefficient_bits <= 11 && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))]
+#[cfg_attr(hax, hax_lib_macros::requires((coefficient_bits == 4 || coefficient_bits == 5 || coefficient_bits == 10 || coefficient_bits == 11) && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < FIELD_MODULUS))]
 pub(super) fn decompress_ciphertext_coefficient(
     coefficient_bits: u8,
     fe: StandardFieldElement,
 ) -> StandardFieldElement {
-    hax_lib::debug_assert!(coefficient_bits > 0 && coefficient_bits <= 11);
+    hax_lib::debug_assert!(
+        coefficient_bits == 4
+            || coefficient_bits == 5
+            || coefficient_bits == 10
+            || coefficient_bits == 11
+    );
     hax_lib::debug_assert!(fe >= 0 && fe <= 2i32.pow(coefficient_bits as u32));
 
     let mut decompressed = (fe as u32) * (FIELD_MODULUS as u32);

From 2c3b985bacd37d7c8a7717a17c6d551cbb341c1e Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Wed, 22 Nov 2023 11:48:58 -0500
Subject: [PATCH 10/24] Convert (invert_)ntt_at_layer macros to functions.

---
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 1780 ++++-------------
 src/kem/kyber/compress.rs                     |    2 +
 src/kem/kyber/ntt.rs                          |  163 +-
 3 files changed, 447 insertions(+), 1498 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index fde6e6bb8..59eb2a53a 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -31,12 +31,14 @@ let ntt_multiply_binomials (a0, a1: (i32 & i32)) (b0, b1: (i32 & i32)) (zeta: i3
   <:
   (i32 & i32)
 
-let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let _:Prims.unit = () <: Prims.unit in
-  let zeta_i:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in
-  let step:usize = sz 1 <<! 1l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+let invert_ntt_at_layer
+      (layer: u8)
+      (zetas_index: usize)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+      (initial_coefficient_bound: i32)
+    : (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  let step:usize = sz 1 <<! layer in
+  let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -45,11 +47,13 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+            temp_0_
+          in
           let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
+          let zetas_index:usize = zetas_index -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
           let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
@@ -93,7 +97,7 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zetas_index ] <: i32)
                               <:
                               i32)
                           <:
@@ -104,81 +108,102 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+          re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = () <: Prims.unit in
+  re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
+
+let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let initial_coefficient_bound:i32 =
+    (cast (v_K <: usize) <: i32) *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let zetas_index:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 1uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 2uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 3uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 4uy zetas_index re initial_coefficient_bound
   in
-  let step:usize = sz 1 <<! 2l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 5uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 6uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, _:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    invert_ntt_at_layer 7uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let _:Prims.unit = () in
+  let _:Prims.unit = () <: Prims.unit in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
+              Core.Ops.Range.f_end = sz 8
             }
             <:
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
+      re
+      (fun re i ->
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+          let i:usize = i in
+          {
+            re with
+            Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+            =
+            Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              i
+              (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re
+                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
                     <:
-                    Core.Ops.Range.t_Range usize)
+                    i32)
                 <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let a_minus_b:i32 =
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
-                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                            <:
-                            i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+                i32)
+            <:
+            t_Array i32 (sz 256)
+          }
+          <:
+          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
   in
-  let step:usize = sz 1 <<! 3l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  re
+
+let ntt_at_layer
+      (layer: u8)
+      (zetas_index: usize)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+      (initial_coefficient_bound: i32)
+    : (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  let step:usize = sz 1 <<! layer in
+  let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -187,11 +212,13 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+            temp_0_
+          in
           let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
+          let zetas_index:usize = zetas_index +! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
           let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
@@ -206,9 +233,12 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
               (fun re j ->
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
-                  let a_minus_b:i32 =
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zetas_index ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -216,13 +246,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
-                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                            <:
-                            i32)
-                          <:
-                          i32)
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
                     <:
                     Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -233,1384 +258,295 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
                     <:
                     Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+          re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
-  let step:usize = sz 1 <<! 4l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  let _:Prims.unit = () <: Prims.unit in
+  re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
+
+let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let _:Prims.unit = () <: Prims.unit in
+  let zetas_index:usize = sz 0 in
+  let zetas_index:usize = zetas_index +! sz 1 in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
+              Core.Ops.Range.f_end = sz 128
             }
             <:
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
+      re
+      (fun re j ->
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+          let j:usize = j in
+          let t:i32 =
+            (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ] <: i32) *!
+            (-1600l)
+          in
           let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let a_minus_b:i32 =
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
-                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                            <:
-                            i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
+            {
+              re with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                (j +! sz 128 <: usize)
+                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              re with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                j
+                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+          re)
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 6uy zetas_index re 3l
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 5uy zetas_index re 3l
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 4uy zetas_index re 3l
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 3uy zetas_index re 3l
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 2uy zetas_index re 3l
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, _:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 1uy zetas_index re 3l
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let _:Prims.unit = () in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    {
+      re with
+      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+      =
+      Core.Array.impl_23__map (sz 256)
+        re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+        Libcrux.Kem.Kyber.Arithmetic.barrett_reduce
+    }
+    <:
+    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+  in
+  re
+
+let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let _:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = () <: Prims.unit in
+  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
   in
-  let step:usize = sz 1 <<! 5l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
+              Core.Ops.Range.f_end
+              =
+              Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 4 <: usize
             }
             <:
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let a_minus_b:i32 =
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
-                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                            <:
-                            i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let step:usize = sz 1 <<! 6l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let a_minus_b:i32 =
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
-                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                            <:
-                            i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let step:usize = sz 1 <<! 7l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i -! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let a_minus_b:i32 =
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
-                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
-                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                            <:
-                            i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 8
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      re
-      (fun re i ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-          let i:usize = i in
-          {
-            re with
-            Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-            =
-            Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              i
-              (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                    <:
-                    i32)
-                <:
-                i32)
-            <:
-            t_Array i32 (sz 256)
-          }
-          <:
-          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-  in
-  re
-
-let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let _:Prims.unit = () <: Prims.unit in
-  let zeta_i:usize = sz 0 in
-  let zeta_i:usize = zeta_i +! sz 1 in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      re
-      (fun re j ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-          let j:usize = j in
-          let t:i32 =
-            (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ] <: i32) *!
-            (-1600l)
-          in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              re with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                (j +! sz 128 <: usize)
-                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              re with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                j
-                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          re)
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 6l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 5l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 4l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 3l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 2l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 1l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    {
-      re with
-      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-      =
-      Core.Array.impl_23__map (sz 256)
-        re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-        Libcrux.Kem.Kyber.Arithmetic.barrett_reduce
-    }
-    <:
-    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-  in
-  re
-
-let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let _:Prims.unit = () <: Prims.unit in
-  let _:Prims.unit = () <: Prims.unit in
-  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
-  in
-  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 4 <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      out
-      (fun out i ->
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in
-          let i:usize = i in
-          let product:(i32 & i32) =
-            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i
-                    <:
-                    usize ]
-                  <:
-                  i32),
-                (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
-                    <:
-                    usize ]
-                  <:
-                  i32)
-                <:
-                (i32 & i32))
-              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i <: usize ] <: i32),
-                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
-                    <:
-                    usize ]
-                  <:
-                  i32)
-                <:
-                (i32 & i32))
-              (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
-          in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                (sz 4 *! i <: usize)
-                product._1
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                ((sz 4 *! i <: usize) +! sz 1 <: usize)
-                product._2
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          let product:(i32 & i32) =
-            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i
-                      <:
-                      usize) +!
-                    sz 2
-                    <:
-                    usize ]
-                  <:
-                  i32),
-                (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
-                    <:
-                    usize ]
-                  <:
-                  i32)
-                <:
-                (i32 & i32))
-              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 2
-                    <:
-                    usize ]
-                  <:
-                  i32),
-                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
-                    <:
-                    usize ]
-                  <:
-                  i32)
-                <:
-                (i32 & i32))
-              (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
-                <:
-                i32)
-          in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                ((sz 4 *! i <: usize) +! sz 2 <: usize)
-                product._1
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                ((sz 4 *! i <: usize) +! sz 3 <: usize)
-                product._2
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          out)
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  out
-
-let ntt_vector_u
-      (v_VECTOR_U_COMPRESSION_FACTOR: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let _:Prims.unit = () <: Prims.unit in
-  let zeta_i:usize = sz 0 in
-  let step:usize = sz 1 <<! 7l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 6l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 5l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
-          in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 4l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
+      out
+      (fun out i ->
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in
+          let i:usize = i in
+          let product:(i32 & i32) =
+            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i
                     <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
+                    usize ]
+                  <:
+                  i32),
+                (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i <: usize ] <: i32),
+                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 3l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                (sz 4 *! i <: usize)
+                product._1
             }
             <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 2l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                ((sz 4 *! i <: usize) +! sz 1 <: usize)
+                product._2
             }
             <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let product:(i32 & i32) =
+            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i
+                      <:
+                      usize) +!
+                    sz 2
                     <:
-                    Core.Ops.Range.t_Range usize)
+                    usize ]
+                  <:
+                  i32),
+                (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
+                    <:
+                    usize ]
+                  <:
+                  i32)
                 <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
+                (i32 & i32))
+              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 2
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
+                    usize ]
+                  <:
+                  i32),
+                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
                     <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
+                <:
+                i32)
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let step:usize = sz 1 <<! 1l in
-  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128 /! step <: usize
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                ((sz 4 *! i <: usize) +! sz 2 <: usize)
+                product._1
             }
             <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-      (fun temp_0_ round ->
-          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
-          let round:usize = round in
-          let zeta_i:usize = zeta_i +! sz 1 in
-          let offset:usize = (round *! step <: usize) *! sz 2 in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                      Core.Ops.Range.f_start = offset;
-                      Core.Ops.Range.f_end = offset +! step <: usize
-                    }
-                    <:
-                    Core.Ops.Range.t_Range usize)
-                <:
-                Core.Ops.Range.t_Range usize)
-              re
-              (fun re j ->
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-                  let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-                    {
-                      re with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-                  in
-                  re)
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                ((sz 4 *! i <: usize) +! sz 3 <: usize)
+                product._2
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
           in
-          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+          out)
   in
   let _:Prims.unit = () <: Prims.unit in
+  out
+
+let ntt_vector_u
+      (v_VECTOR_U_COMPRESSION_FACTOR: usize)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let initial_coefficient_bound:i32 = Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS -! 1l in
+  let _:Prims.unit = () <: Prims.unit in
+  let zetas_index:usize = sz 0 in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 7uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 6uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 5uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 4uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 3uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 2uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let zetas_index:usize = lhs in
+  let _:Prims.unit = () in
+  let lhs, _:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    ntt_at_layer 1uy zetas_index re initial_coefficient_bound
+  in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
+  let _:Prims.unit = () in
   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     {
       re with
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index 6b2a917a1..5e4feeb59 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -13,6 +13,7 @@ fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
 // The approach used in this function been taken from:
 // https://github.com/cloudflare/circl/blob/main/pke/kyber/internal/common/poly.go#L150
 #[cfg_attr(hax, hax_lib_macros::requires(fe < (FIELD_MODULUS as u16)))]
+#[inline(always)]
 pub(super) fn compress_message_coefficient(fe: u16) -> u8 {
     // If 833 <= fe <= 2496,
     // then -832 <= shifted <= 831
@@ -59,6 +60,7 @@ pub(super) fn compress_ciphertext_coefficient(
 }
 
 #[cfg_attr(hax, hax_lib_macros::requires((fe == 0) || (fe == 1)))]
+#[inline(always)]
 pub(super) fn decompress_message_coefficient(fe: StandardFieldElement) -> StandardFieldElement {
     -fe & ((FIELD_MODULUS + 1) / 2)
 }
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 338382e8a..1698bbccb 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -4,7 +4,7 @@ use super::{
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
         StandardFieldElement,
     },
-    constants::COEFFICIENTS_IN_RING_ELEMENT,
+    constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
 };
 
 const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
@@ -18,34 +18,69 @@ const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
     -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628,
 ];
 
-macro_rules! ntt_at_layer {
-    ($layer:literal, $zeta_i:ident, $re:ident, $initial_coefficient_bound:literal) => {
-        let step = 1 << $layer;
+#[inline(always)]
+fn ntt_at_layer(
+    layer: u8,
+    mut zetas_index: usize,
+    mut re: PolynomialRingElement,
+    initial_coefficient_bound: i32,
+) -> (PolynomialRingElement, usize) {
+    let step = 1 << layer;
+
+    for round in 0..(128 / step) {
+        zetas_index += 1;
+
+        let offset = round * step * 2;
+
+        for j in offset..offset + step {
+            let t = montgomery_multiply_sfe_by_fer(
+                re.coefficients[j + step],
+                ZETAS_TIMES_MONTGOMERY_R[zetas_index],
+            );
+            re.coefficients[j + step] = re.coefficients[j] - t;
+            re.coefficients[j] = re.coefficients[j] + t;
+        }
+    }
+
+    hax_lib::debug_assert!(re.coefficients.into_iter().all(|coefficient| {
+        coefficient.abs()
+            < initial_coefficient_bound + ((8 - (layer as i32)) * 3 * (FIELD_MODULUS / 2))
+    }));
+
+    (re, zetas_index)
+}
+
+#[inline(always)]
+fn invert_ntt_at_layer(
+    layer: u8,
+    mut zetas_index: usize,
+    mut re: PolynomialRingElement,
+    initial_coefficient_bound: i32,
+) -> (PolynomialRingElement, usize) {
+    let step = 1 << layer;
+
+    for round in 0..(128 / step) {
+        zetas_index -= 1;
 
-        for round in 0..(128 / step) {
-            $zeta_i += 1;
+        let offset = round * step * 2;
 
-            let offset = round * step * 2;
+        for j in offset..offset + step {
+            let a_minus_b = re.coefficients[j + step] - re.coefficients[j];
 
-            for j in offset..offset + step {
-                let t = montgomery_multiply_sfe_by_fer(
-                    $re.coefficients[j + step],
-                    ZETAS_TIMES_MONTGOMERY_R[$zeta_i],
-                );
-                $re.coefficients[j + step] = $re.coefficients[j] - t;
-                $re.coefficients[j] = $re.coefficients[j] + t;
-            }
+            // Instead of dividing by 2 here, we just divide by
+            // 2^7 in one go in the end.
+            re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step];
+            re.coefficients[j + step] =
+                montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[zetas_index]);
         }
+    }
 
-        hax_lib::debug_assert!($re.coefficients.into_iter().all(|coefficient| {
-            coefficient.abs() < $initial_coefficient_bound + ((8 - $layer) * 3 * (3329 / 2))
-        }));
-    };
+    hax_lib::debug_assert!(re.coefficients[0].abs() < initial_coefficient_bound * (step as i32));
+    hax_lib::debug_assert!(re.coefficients[1].abs() < initial_coefficient_bound * (step as i32));
+
+    (re, zetas_index)
 }
 
-// Over time, all invocations of ntt_representation() will be replaced by
-// invocations to this function, upon which this function will be renamed back to
-// ntt_representation().
 #[inline(always)]
 pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     mut re: PolynomialRingElement,
@@ -55,11 +90,11 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
         .into_iter()
         .all(|coefficient| coefficient.abs() <= 3));
 
-    let mut zeta_i = 0;
+    let mut zetas_index = 0;
 
     // Due to the small coefficient bound, we can skip the first round of
     // montgomery reductions.
-    zeta_i += 1;
+    zetas_index += 1;
 
     for j in 0..128 {
         // Multiply by the appropriate zeta in the normal domain.
@@ -71,14 +106,14 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| { coefficient.abs() < 3 + ((3 * 3329) / 2) }));
+        .all(|coefficient| { coefficient.abs() < 3 + (3 * (FIELD_MODULUS / 2)) }));
 
-    ntt_at_layer!(6, zeta_i, re, 3);
-    ntt_at_layer!(5, zeta_i, re, 3);
-    ntt_at_layer!(4, zeta_i, re, 3);
-    ntt_at_layer!(3, zeta_i, re, 3);
-    ntt_at_layer!(2, zeta_i, re, 3);
-    ntt_at_layer!(1, zeta_i, re, 3);
+    (re, zetas_index) = ntt_at_layer(6, zetas_index, re, 3);
+    (re, zetas_index) = ntt_at_layer(5, zetas_index, re, 3);
+    (re, zetas_index) = ntt_at_layer(4, zetas_index, re, 3);
+    (re, zetas_index) = ntt_at_layer(3, zetas_index, re, 3);
+    (re, zetas_index) = ntt_at_layer(2, zetas_index, re, 3);
+    (re, _) = ntt_at_layer(1, zetas_index, re, 3);
 
     re.coefficients = re.coefficients.map(barrett_reduce);
 
@@ -89,20 +124,21 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
 pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize>(
     mut re: PolynomialRingElement,
 ) -> PolynomialRingElement {
+    let initial_coefficient_bound = FIELD_MODULUS - 1;
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient.abs() <= 3328));
+        .all(|coefficient| coefficient.abs() <= initial_coefficient_bound));
 
-    let mut zeta_i = 0;
+    let mut zetas_index = 0;
 
-    ntt_at_layer!(7, zeta_i, re, 3328);
-    ntt_at_layer!(6, zeta_i, re, 3328);
-    ntt_at_layer!(5, zeta_i, re, 3328);
-    ntt_at_layer!(4, zeta_i, re, 3328);
-    ntt_at_layer!(3, zeta_i, re, 3328);
-    ntt_at_layer!(2, zeta_i, re, 3328);
-    ntt_at_layer!(1, zeta_i, re, 3328);
+    (re, zetas_index) = ntt_at_layer(7, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = ntt_at_layer(6, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = ntt_at_layer(5, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = ntt_at_layer(4, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = ntt_at_layer(3, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = ntt_at_layer(2, zetas_index, re, initial_coefficient_bound);
+    (re, _) = ntt_at_layer(1, zetas_index, re, initial_coefficient_bound);
 
     re.coefficients = re.coefficients.map(barrett_reduce);
 
@@ -114,53 +150,28 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
     mut re: PolynomialRingElement,
 ) -> PolynomialRingElement {
     // We only ever call this function after matrix/vector multiplication
+    let initial_coefficient_bound = (K as i32) * FIELD_MODULUS;
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient.abs() < (K as i32) * 3329));
-
-    let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT / 2;
+        .all(|coefficient| coefficient.abs() < initial_coefficient_bound));
 
-    macro_rules! invert_ntt_at_layer {
-        ($layer:literal) => {
-            let step = 1 << $layer;
+    let mut zetas_index = COEFFICIENTS_IN_RING_ELEMENT / 2;
 
-            for round in 0..(128 / step) {
-                zeta_i -= 1;
-
-                let offset = round * step * 2;
-
-                for j in offset..offset + step {
-                    let a_minus_b = re.coefficients[j + step] - re.coefficients[j];
-
-                    // Instead of dividing by 2 here, we just divide by
-                    // 2^7 in one go in the end.
-                    re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step];
-                    re.coefficients[j + step] =
-                        montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[zeta_i]);
-                }
-            }
-        };
-    }
+    (re, zetas_index) = invert_ntt_at_layer(1, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = invert_ntt_at_layer(2, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = invert_ntt_at_layer(3, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = invert_ntt_at_layer(4, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = invert_ntt_at_layer(5, zetas_index, re, initial_coefficient_bound);
+    (re, zetas_index) = invert_ntt_at_layer(6, zetas_index, re, initial_coefficient_bound);
+    (re, _) = invert_ntt_at_layer(7, zetas_index, re, initial_coefficient_bound);
 
-    invert_ntt_at_layer!(1);
-    invert_ntt_at_layer!(2);
-    invert_ntt_at_layer!(3);
-    invert_ntt_at_layer!(4);
-    invert_ntt_at_layer!(5);
-    invert_ntt_at_layer!(6);
-    invert_ntt_at_layer!(7);
-
-    hax_lib::debug_assert!(
-        re.coefficients[0].abs() < 128 * (K as i32) * 3329
-            && re.coefficients[1].abs() < 128 * (K as i32) * 3329
-    );
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
         .enumerate()
         .skip(2)
-        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * 3329));
+        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * FIELD_MODULUS));
 
     for i in 0..8 {
         re.coefficients[i] = barrett_reduce(re.coefficients[i]);

From 9731506384bfb230a378348c1442dd737dc94c97 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Thu, 23 Nov 2023 17:43:25 -0500
Subject: [PATCH 11/24] Review comments.

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          | 11 ++--
 .../extraction/Libcrux.Kem.Kyber.Matrix.fst   | 36 ++---------
 src/kem/kyber/arithmetic.rs                   | 34 ++++++-----
 src/kem/kyber/compress.rs                     | 29 +++++----
 src/kem/kyber/constant_time_ops.rs            |  1 -
 src/kem/kyber/ind_cpa.rs                      |  2 +
 src/kem/kyber/matrix.rs                       | 20 ++++--
 src/kem/kyber/ntt.rs                          |  7 +--
 src/kem/kyber/sampling.rs                     | 12 ++--
 src/kem/kyber/serialize.rs                    | 61 ++++++++++---------
 10 files changed, 103 insertions(+), 110 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index 0d9ce48a4..ce2933c0d 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -4,13 +4,13 @@ open Core
 open FStar.Mul
 
 unfold
-let t_FieldElementTimesMontgomeryR = i32
+let t_FieldElement = i32
 
 unfold
-let t_MontgomeryFieldElement = i32
+let t_FieldElementTimesMontgomeryR = i32
 
 unfold
-let t_StandardFieldElement = i32
+let t_MontgomeryFieldElement = i32
 
 let v_BARRETT_MULTIPLIER: i64 = 20159L
 
@@ -20,6 +20,8 @@ let v_BARRETT_R: i64 = 1L <<! v_BARRETT_SHIFT
 
 let v_INVERSE_OF_MODULUS_MOD_R: u32 = 62209ul
 
+let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i32 = 1353l
+
 let v_MONTGOMERY_SHIFT: u8 = 16uy
 
 let v_MONTGOMERY_R: i32 = 1l <<! v_MONTGOMERY_SHIFT
@@ -88,7 +90,8 @@ let montgomery_reduce (value: i32)
 
 let montgomery_multiply_sfe_by_fer (fe fer: i32) : i32 = montgomery_reduce (fe *! fer <: i32)
 
-let to_standard_domain (mfe: i32) : i32 = montgomery_reduce (mfe *! 1353l <: i32)
+let to_standard_domain (mfe: i32) : i32 =
+  montgomery_reduce (mfe *! v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32)
 
 let to_unsigned_representative (fe: i32)
     : Prims.Pure u16
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
index 258ee8a03..753536b44 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
@@ -73,14 +73,7 @@ let compute_As_plus_e
                     Core.Ops.Range.f_start = sz 0;
                     Core.Ops.Range.f_end
                     =
-                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        <:
-                        t_Slice i32)
-                    <:
-                    usize
+                    Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
                   }
                   <:
                   Core.Ops.Range.t_Range usize)
@@ -168,14 +161,7 @@ let compute_message
   let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Core.Slice.impl__len (Rust_primitives.unsize result
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                  <:
-                  t_Slice i32)
-              <:
-              usize
+              Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
             }
             <:
             Core.Ops.Range.t_Range usize)
@@ -256,14 +242,7 @@ let compute_ring_element_v
   let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Core.Slice.impl__len (Rust_primitives.unsize result
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                  <:
-                  t_Slice i32)
-              <:
-              usize
+              Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
             }
             <:
             Core.Ops.Range.t_Range usize)
@@ -383,14 +362,7 @@ let compute_vector_u
                     Core.Ops.Range.f_start = sz 0;
                     Core.Ops.Range.f_end
                     =
-                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        <:
-                        t_Slice i32)
-                    <:
-                    usize
+                    Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
                   }
                   <:
                   Core.Ops.Range.t_Range usize)
diff --git a/src/kem/kyber/arithmetic.rs b/src/kem/kyber/arithmetic.rs
index 0d98413b2..e7ceeb11b 100644
--- a/src/kem/kyber/arithmetic.rs
+++ b/src/kem/kyber/arithmetic.rs
@@ -1,15 +1,15 @@
 use super::constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS};
 
-// if this is 'x'
-// let 'fe' be the shorthand for this type
-pub(crate) type StandardFieldElement = i32;
+/// Values having this type hold a representative 'x' of the Kyber Field.
+/// Let 'fe' be the shorthand for this type
+pub(crate) type FieldElement = i32;
 
-// this is congruent to xR^{-1} mod FIELD_MODULUS
-// let 'mfe' be the shorthand for this type
+/// Values having this type hold a representative y ≡ xR^{-1} (mod FIELD_MODULUS)
+/// Let 'mfe' be the shorthand for this type
 pub(crate) type MontgomeryFieldElement = i32;
 
-// this is congruent to xR mod FIELD_MODULUS
-// let 'fer' be the shorthand for this type
+/// Values having this type hold a representative y ≡ xR (mod FIELD_MODULUS)
+/// Let 'fer' be the shorthand for this type
 pub(crate) type FieldElementTimesMontgomeryR = i32;
 
 const MONTGOMERY_SHIFT: u8 = 16;
@@ -27,7 +27,7 @@ const BARRETT_MULTIPLIER: i64 = 20159; // floor((BARRETT_R / FIELD_MODULUS) + 0.
 
 #[cfg_attr(hax, hax_lib_macros::requires((i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R)))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))]
-pub(crate) fn barrett_reduce(value: StandardFieldElement) -> StandardFieldElement {
+pub(crate) fn barrett_reduce(value: FieldElement) -> FieldElement {
     hax_lib::debug_assert!(
         i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R,
         "value is {value}"
@@ -50,7 +50,7 @@ const INVERSE_OF_MODULUS_MOD_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMER
 
 #[cfg_attr(hax, hax_lib_macros::requires(value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))]
-pub(crate) fn montgomery_reduce(value: StandardFieldElement) -> StandardFieldElement {
+pub(crate) fn montgomery_reduce(value: FieldElement) -> FieldElement {
     // This forces hax to extract code for MONTGOMERY_R before it extracts code
     // for this function. The removal of this line is being tracked in:
     // https://github.com/cryspen/libcrux/issues/134
@@ -72,28 +72,32 @@ pub(crate) fn montgomery_reduce(value: StandardFieldElement) -> StandardFieldEle
     value_high - c
 }
 
+#[inline(always)]
 pub(crate) fn montgomery_multiply_sfe_by_fer(
-    fe: StandardFieldElement,
+    fe: FieldElement,
     fer: FieldElementTimesMontgomeryR,
-) -> StandardFieldElement {
+) -> FieldElement {
     montgomery_reduce(fe * fer)
 }
 
-pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> StandardFieldElement {
-    montgomery_reduce(mfe * 1353)
+const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i32 = 1353; // (MONTGOMERY_R)^2 mod FIELD_MODULUS
+
+#[inline(always)]
+pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> FieldElement {
+    montgomery_reduce(mfe * MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS)
 }
 
 #[cfg_attr(hax, hax_lib_macros::requires(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < (FIELD_MODULUS as u16)))]
 #[inline(always)]
-pub(crate) fn to_unsigned_representative(fe: StandardFieldElement) -> u16 {
+pub(crate) fn to_unsigned_representative(fe: FieldElement) -> u16 {
     hax_lib::debug_assert!(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS);
     (fe + (FIELD_MODULUS & (fe >> 31))) as u16
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub struct PolynomialRingElement {
-    pub(crate) coefficients: [StandardFieldElement; COEFFICIENTS_IN_RING_ELEMENT],
+    pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_RING_ELEMENT],
 }
 
 impl PolynomialRingElement {
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index 5e4feeb59..37c9f727b 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -1,4 +1,4 @@
-use super::{arithmetic::StandardFieldElement, constants::FIELD_MODULUS};
+use super::{arithmetic::FieldElement, constants::FIELD_MODULUS};
 
 #[cfg_attr(hax, hax_lib_macros::requires(n == 4 || n == 5 || n == 10 || n == 11))]
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < 2u32.pow(n.into())))]
@@ -34,12 +34,17 @@ pub(super) fn compress_message_coefficient(fe: u16) -> u8 {
     ((shifted_positive_in_range >> 15) & 1) as u8
 }
 
-#[cfg_attr(hax, hax_lib_macros::requires((coefficient_bits == 4 || coefficient_bits == 5 || coefficient_bits == 10 || coefficient_bits == 11) && fe < (FIELD_MODULUS as u16)))]
-#[cfg_attr(hax, hax_lib_macros::ensures(|result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
-pub(super) fn compress_ciphertext_coefficient(
-    coefficient_bits: u8,
-    fe: u16,
-) -> StandardFieldElement {
+#[cfg_attr(hax,
+    hax_lib_macros::requires(
+        (coefficient_bits == 4 ||
+         coefficient_bits == 5 ||
+         coefficient_bits == 10 ||
+         coefficient_bits == 11) &&
+         fe < (FIELD_MODULUS as u16)))]
+#[cfg_attr(hax,
+     hax_lib_macros::ensures(
+     |result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))]
+pub(super) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) -> FieldElement {
     hax_lib::debug_assert!(
         coefficient_bits == 4
             || coefficient_bits == 5
@@ -56,12 +61,12 @@ pub(super) fn compress_ciphertext_coefficient(
     // (i.e. the ciphertext)
     compressed /= (FIELD_MODULUS << 1) as u32;
 
-    get_n_least_significant_bits(coefficient_bits, compressed) as StandardFieldElement
+    get_n_least_significant_bits(coefficient_bits, compressed) as FieldElement
 }
 
 #[cfg_attr(hax, hax_lib_macros::requires((fe == 0) || (fe == 1)))]
 #[inline(always)]
-pub(super) fn decompress_message_coefficient(fe: StandardFieldElement) -> StandardFieldElement {
+pub(super) fn decompress_message_coefficient(fe: FieldElement) -> FieldElement {
     -fe & ((FIELD_MODULUS + 1) / 2)
 }
 
@@ -69,8 +74,8 @@ pub(super) fn decompress_message_coefficient(fe: StandardFieldElement) -> Standa
 #[cfg_attr(hax, hax_lib_macros::ensures(|result| result < FIELD_MODULUS))]
 pub(super) fn decompress_ciphertext_coefficient(
     coefficient_bits: u8,
-    fe: StandardFieldElement,
-) -> StandardFieldElement {
+    fe: FieldElement,
+) -> FieldElement {
     hax_lib::debug_assert!(
         coefficient_bits == 4
             || coefficient_bits == 5
@@ -83,5 +88,5 @@ pub(super) fn decompress_ciphertext_coefficient(
     decompressed = (decompressed << 1) + (1 << coefficient_bits);
     decompressed >>= coefficient_bits + 1;
 
-    decompressed as StandardFieldElement
+    decompressed as FieldElement
 }
diff --git a/src/kem/kyber/constant_time_ops.rs b/src/kem/kyber/constant_time_ops.rs
index 2e5ddf897..7fe7047ab 100644
--- a/src/kem/kyber/constant_time_ops.rs
+++ b/src/kem/kyber/constant_time_ops.rs
@@ -11,7 +11,6 @@ use super::constants::SHARED_SECRET_SIZE;
 fn is_non_zero(value: u8) -> u8 {
     let value = value as u16;
 
-    // (!value) + 1 ≡ -value (mod 2^16)
     let result = ((value | (!value).wrapping_add(1)) >> 8) & 1;
 
     result as u8
diff --git a/src/kem/kyber/ind_cpa.rs b/src/kem/kyber/ind_cpa.rs
index 6abd9b9f0..9653b3cd2 100644
--- a/src/kem/kyber/ind_cpa.rs
+++ b/src/kem/kyber/ind_cpa.rs
@@ -68,6 +68,8 @@ fn sample_matrix_A<const K: usize>(
     (A_transpose, sampling_A_error)
 }
 
+/// Sample a vector of ring elements from a centered binomial distribution and
+/// convert them into their NTT representations.
 #[inline(always)]
 fn sample_vector_cbd_then_ntt<
     const K: usize,
diff --git a/src/kem/kyber/matrix.rs b/src/kem/kyber/matrix.rs
index 423ab97a6..8ae35451b 100644
--- a/src/kem/kyber/matrix.rs
+++ b/src/kem/kyber/matrix.rs
@@ -3,9 +3,16 @@ use super::{
         add_to_ring_element, barrett_reduce, montgomery_reduce, to_standard_domain,
         PolynomialRingElement,
     },
+    constants::COEFFICIENTS_IN_RING_ELEMENT,
     ntt::{invert_ntt_montgomery, ntt_multiply},
 };
 
+/// This file contains functions that compute various expressions involving
+/// vectors and matrices. The computation of these expressions has been
+/// abstracted away into these functions in order to save on loop iterations
+/// and make the code run faster.
+
+/// Compute v − NTT^{−1}(sˆT ◦ NTT(u))
 #[inline(always)]
 pub(in crate::kem::kyber) fn compute_message<const K: usize>(
     v: &PolynomialRingElement,
@@ -21,7 +28,7 @@ pub(in crate::kem::kyber) fn compute_message<const K: usize>(
 
     result = invert_ntt_montgomery::<K>(result);
 
-    for i in 0..result.coefficients.len() {
+    for i in 0..COEFFICIENTS_IN_RING_ELEMENT {
         let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
         result.coefficients[i] = barrett_reduce(v.coefficients[i] - coefficient_normal_form);
     }
@@ -29,7 +36,7 @@ pub(in crate::kem::kyber) fn compute_message<const K: usize>(
     result
 }
 
-// v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1)
+/// Compute NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1)
 #[inline(always)]
 pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
     t_as_ntt: &[PolynomialRingElement; K],
@@ -46,7 +53,7 @@ pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
 
     result = invert_ntt_montgomery::<K>(result);
 
-    for i in 0..result.coefficients.len() {
+    for i in 0..COEFFICIENTS_IN_RING_ELEMENT {
         let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441);
         result.coefficients[i] = barrett_reduce(
             coefficient_normal_form + error_2.coefficients[i] + message.coefficients[i],
@@ -56,7 +63,7 @@ pub(in crate::kem::kyber) fn compute_ring_element_v<const K: usize>(
     result
 }
 
-// u := NTT^{-1}(AˆT ◦ rˆ) + e_1
+/// Compute u := NTT^{-1}(AˆT ◦ rˆ) + e_1
 #[inline(always)]
 pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
     a_as_ntt: &[[PolynomialRingElement; K]; K],
@@ -73,7 +80,7 @@ pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
 
         result[i] = invert_ntt_montgomery::<K>(result[i]);
 
-        for j in 0..result[i].coefficients.len() {
+        for j in 0..COEFFICIENTS_IN_RING_ELEMENT {
             let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1441);
 
             result[i].coefficients[j] =
@@ -84,6 +91,7 @@ pub(in crate::kem::kyber) fn compute_vector_u<const K: usize>(
     result
 }
 
+/// compute Aˆ ◦ sˆ + eˆ
 #[inline(always)]
 #[allow(non_snake_case)]
 pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
@@ -99,7 +107,7 @@ pub(in crate::kem::kyber) fn compute_As_plus_e<const K: usize>(
             result[i] = add_to_ring_element::<K>(result[i], &product);
         }
 
-        for j in 0..result[i].coefficients.len() {
+        for j in 0..COEFFICIENTS_IN_RING_ELEMENT {
             // The coefficients are of the form aR^{-1} mod q, which means
             // calling to_montgomery_domain() on them should return a mod q.
             let coefficient_normal_form = to_standard_domain(result[i].coefficients[j]);
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 1698bbccb..1c7c46feb 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -1,8 +1,7 @@
 use super::{
     arithmetic::{
-        barrett_reduce, montgomery_multiply_sfe_by_fer, montgomery_reduce,
+        barrett_reduce, montgomery_multiply_sfe_by_fer, montgomery_reduce, FieldElement,
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
-        StandardFieldElement,
     },
     constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
 };
@@ -181,8 +180,8 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
 
 #[inline(always)]
 fn ntt_multiply_binomials(
-    (a0, a1): (StandardFieldElement, StandardFieldElement),
-    (b0, b1): (StandardFieldElement, StandardFieldElement),
+    (a0, a1): (FieldElement, FieldElement),
+    (b0, b1): (FieldElement, FieldElement),
     zeta: FieldElementTimesMontgomeryR,
 ) -> (MontgomeryFieldElement, MontgomeryFieldElement) {
     (
diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs
index d8045df26..78636ca1a 100644
--- a/src/kem/kyber/sampling.rs
+++ b/src/kem/kyber/sampling.rs
@@ -1,5 +1,5 @@
 use super::{
-    arithmetic::{PolynomialRingElement, StandardFieldElement},
+    arithmetic::{FieldElement, PolynomialRingElement},
     constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
     Error,
 };
@@ -63,9 +63,8 @@ fn sample_from_binomial_distribution_2(randomness: &[u8]) -> PolynomialRingEleme
         let coin_toss_outcomes = even_bits + odd_bits;
 
         for outcome_set in (0..u32::BITS).step_by(4) {
-            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as StandardFieldElement;
-            let outcome_2 =
-                ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as StandardFieldElement;
+            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as FieldElement;
+            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as FieldElement;
 
             let offset = (outcome_set >> 2) as usize;
             sampled.coefficients[8 * chunk_number + offset] = outcome_1 - outcome_2;
@@ -93,9 +92,8 @@ fn sample_from_binomial_distribution_3(randomness: &[u8]) -> PolynomialRingEleme
         let coin_toss_outcomes = first_bits + second_bits + third_bits;
 
         for outcome_set in (0..24).step_by(6) {
-            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as StandardFieldElement;
-            let outcome_2 =
-                ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as StandardFieldElement;
+            let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as FieldElement;
+            let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as FieldElement;
 
             let offset = (outcome_set / 6) as usize;
             sampled.coefficients[4 * chunk_number + offset] = outcome_1 - outcome_2;
diff --git a/src/kem/kyber/serialize.rs b/src/kem/kyber/serialize.rs
index 95e73f52c..2c049bca8 100644
--- a/src/kem/kyber/serialize.rs
+++ b/src/kem/kyber/serialize.rs
@@ -1,12 +1,15 @@
 use super::{
-    arithmetic::{to_unsigned_representative, PolynomialRingElement, StandardFieldElement},
+    arithmetic::{to_unsigned_representative, FieldElement, PolynomialRingElement},
     compress::{
         compress_ciphertext_coefficient, compress_message_coefficient,
         decompress_ciphertext_coefficient, decompress_message_coefficient,
     },
-    constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE},
+    constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE},
 };
 
+#[cfg(not(hax))]
+use super::constants::COEFFICIENTS_IN_RING_ELEMENT;
+
 #[inline(always)]
 pub(super) fn compress_then_serialize_message(
     re: PolynomialRingElement,
@@ -33,7 +36,7 @@ pub(super) fn deserialize_then_decompress_message(
 
     for (i, byte) in serialized.iter().enumerate() {
         for j in 0..8 {
-            let coefficient_compressed = ((byte >> j) & 0x1) as StandardFieldElement;
+            let coefficient_compressed = ((byte >> j) & 0x1) as FieldElement;
             re.coefficients[8 * i + j] = decompress_message_coefficient(coefficient_compressed);
         }
     }
@@ -65,9 +68,9 @@ pub(super) fn deserialize_to_uncompressed_ring_element(serialized: &[u8]) -> Pol
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(3).enumerate() {
-        let byte1 = bytes[0] as StandardFieldElement;
-        let byte2 = bytes[1] as StandardFieldElement;
-        let byte3 = bytes[2] as StandardFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
 
         re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF);
         re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F);
@@ -227,11 +230,11 @@ fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte1 = bytes[0] as StandardFieldElement;
-        let byte2 = bytes[1] as StandardFieldElement;
-        let byte3 = bytes[2] as StandardFieldElement;
-        let byte4 = bytes[3] as StandardFieldElement;
-        let byte5 = bytes[4] as StandardFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
+        let byte4 = bytes[3] as FieldElement;
+        let byte5 = bytes[4] as FieldElement;
 
         let coefficient1 = (byte2 & 0x03) << 8 | (byte1 & 0xFF);
         re.coefficients[4 * i] = decompress_ciphertext_coefficient(10, coefficient1);
@@ -255,17 +258,17 @@ fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(11).enumerate() {
-        let byte1 = bytes[0] as StandardFieldElement;
-        let byte2 = bytes[1] as StandardFieldElement;
-        let byte3 = bytes[2] as StandardFieldElement;
-        let byte4 = bytes[3] as StandardFieldElement;
-        let byte5 = bytes[4] as StandardFieldElement;
-        let byte6 = bytes[5] as StandardFieldElement;
-        let byte7 = bytes[6] as StandardFieldElement;
-        let byte8 = bytes[7] as StandardFieldElement;
-        let byte9 = bytes[8] as StandardFieldElement;
-        let byte10 = bytes[9] as StandardFieldElement;
-        let byte11 = bytes[10] as StandardFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
+        let byte4 = bytes[3] as FieldElement;
+        let byte5 = bytes[4] as FieldElement;
+        let byte6 = bytes[5] as FieldElement;
+        let byte7 = bytes[6] as FieldElement;
+        let byte8 = bytes[7] as FieldElement;
+        let byte9 = bytes[8] as FieldElement;
+        let byte10 = bytes[9] as FieldElement;
+        let byte11 = bytes[10] as FieldElement;
 
         let coefficient1 = (byte2 & 0x7) << 8 | byte1;
         re.coefficients[8 * i] = decompress_ciphertext_coefficient(11, coefficient1);
@@ -316,10 +319,10 @@ fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, byte) in serialized.iter().enumerate() {
-        let coefficient1 = (byte & 0x0F) as StandardFieldElement;
+        let coefficient1 = (byte & 0x0F) as FieldElement;
         re.coefficients[2 * i] = decompress_ciphertext_coefficient(4, coefficient1);
 
-        let coefficient2 = ((byte >> 4) & 0x0F) as StandardFieldElement;
+        let coefficient2 = ((byte >> 4) & 0x0F) as FieldElement;
         re.coefficients[2 * i + 1] = decompress_ciphertext_coefficient(4, coefficient2);
     }
 
@@ -332,11 +335,11 @@ fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement {
     let mut re = PolynomialRingElement::ZERO;
 
     for (i, bytes) in serialized.chunks_exact(5).enumerate() {
-        let byte1 = bytes[0] as StandardFieldElement;
-        let byte2 = bytes[1] as StandardFieldElement;
-        let byte3 = bytes[2] as StandardFieldElement;
-        let byte4 = bytes[3] as StandardFieldElement;
-        let byte5 = bytes[4] as StandardFieldElement;
+        let byte1 = bytes[0] as FieldElement;
+        let byte2 = bytes[1] as FieldElement;
+        let byte3 = bytes[2] as FieldElement;
+        let byte4 = bytes[3] as FieldElement;
+        let byte5 = bytes[4] as FieldElement;
 
         let coefficient1 = byte1 & 0x1F;
         re.coefficients[8 * i] = decompress_ciphertext_coefficient(5, coefficient1);

From 96787cef8e9eb729bc1f7ce13b883f64f8ddda73 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Thu, 23 Nov 2023 17:45:50 -0500
Subject: [PATCH 12/24] Revert "Convert (invert_)ntt_at_layer macros to
 functions."

This reverts commit 2c3b985bacd37d7c8a7717a17c6d551cbb341c1e.
---
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 1772 +++++++++++++----
 src/kem/kyber/compress.rs                     |    1 -
 src/kem/kyber/ntt.rs                          |  163 +-
 3 files changed, 1494 insertions(+), 442 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index 59eb2a53a..fde6e6bb8 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -31,14 +31,12 @@ let ntt_multiply_binomials (a0, a1: (i32 & i32)) (b0, b1: (i32 & i32)) (zeta: i3
   <:
   (i32 & i32)
 
-let invert_ntt_at_layer
-      (layer: u8)
-      (zetas_index: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-      (initial_coefficient_bound: i32)
-    : (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-  let step:usize = sz 1 <<! layer in
-  let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let _:Prims.unit = () <: Prims.unit in
+  let zeta_i:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in
+  let step:usize = sz 1 <<! 1l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -47,13 +45,11 @@ let invert_ntt_at_layer
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
-          let zetas_index:usize = zetas_index -! sz 1 in
+          let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
           let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
@@ -97,7 +93,7 @@ let invert_ntt_at_layer
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
-                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zetas_index ] <: i32)
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
                               <:
                               i32)
                           <:
@@ -108,102 +104,81 @@ let invert_ntt_at_layer
                   in
                   re)
           in
-          re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let _:Prims.unit = () <: Prims.unit in
-  re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
-
-let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let initial_coefficient_bound:i32 =
-    (cast (v_K <: usize) <: i32) *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let zetas_index:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 1uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 2uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 3uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 4uy zetas_index re initial_coefficient_bound
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 5uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 6uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, _:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    invert_ntt_at_layer 7uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let _:Prims.unit = () in
-  let _:Prims.unit = () <: Prims.unit in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let step:usize = sz 1 <<! 2l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 8
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
             }
             <:
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      re
-      (fun re i ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-          let i:usize = i in
-          {
-            re with
-            Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-            =
-            Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              i
-              (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i -! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
                     <:
-                    i32)
+                    Core.Ops.Range.t_Range usize)
                 <:
-                i32)
-            <:
-            t_Array i32 (sz 256)
-          }
-          <:
-          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let a_minus_b:i32 =
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
+                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                            <:
+                            i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
-  re
-
-let ntt_at_layer
-      (layer: u8)
-      (zetas_index: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-      (initial_coefficient_bound: i32)
-    : (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-  let step:usize = sz 1 <<! layer in
-  let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+  let step:usize = sz 1 <<! 3l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
               Core.Ops.Range.f_end = sz 128 /! step <: usize
@@ -212,13 +187,11 @@ let ntt_at_layer
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      (re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
       (fun temp_0_ round ->
-          let re, zetas_index:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-            temp_0_
-          in
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
           let round:usize = round in
-          let zetas_index:usize = zetas_index +! sz 1 in
+          let zeta_i:usize = zeta_i -! sz 1 in
           let offset:usize = (round *! step <: usize) *! sz 2 in
           let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
             Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
@@ -233,12 +206,9 @@ let ntt_at_layer
               (fun re j ->
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
                   let j:usize = j in
-                  let t:i32 =
-                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
-                        <:
-                        i32)
-                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zetas_index ] <: i32)
+                  let a_minus_b:i32 =
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
                   in
                   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
                     {
@@ -246,8 +216,13 @@ let ntt_at_layer
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        (j +! step <: usize)
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
+                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                            <:
+                            i32)
+                          <:
+                          i32)
                     }
                     <:
                     Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
@@ -258,295 +233,1384 @@ let ntt_at_layer
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
                       Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                        (j +! step <: usize)
+                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
                     }
                     <:
                     Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
                   in
                   re)
           in
-          re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
-  let _:Prims.unit = () <: Prims.unit in
-  re, zetas_index <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)
-
-let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let _:Prims.unit = () <: Prims.unit in
-  let zetas_index:usize = sz 0 in
-  let zetas_index:usize = zetas_index +! sz 1 in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let step:usize = sz 1 <<! 4l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = sz 128
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
             }
             <:
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      re
-      (fun re j ->
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
-          let j:usize = j in
-          let t:i32 =
-            (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ] <: i32) *!
-            (-1600l)
-          in
-          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              re with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                (j +! sz 128 <: usize)
-                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i -! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
           let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              re with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                j
-                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let a_minus_b:i32 =
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
+                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                            <:
+                            i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
           in
-          re)
-  in
-  let _:Prims.unit = () <: Prims.unit in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 6uy zetas_index re 3l
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 5uy zetas_index re 3l
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 4uy zetas_index re 3l
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 3uy zetas_index re 3l
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 2uy zetas_index re 3l
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, _:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 1uy zetas_index re 3l
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let _:Prims.unit = () in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    {
-      re with
-      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-      =
-      Core.Array.impl_23__map (sz 256)
-        re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-        Libcrux.Kem.Kyber.Arithmetic.barrett_reduce
-    }
-    <:
-    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-  in
-  re
-
-let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let _:Prims.unit = () <: Prims.unit in
-  let _:Prims.unit = () <: Prims.unit in
-  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
-  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let step:usize = sz 1 <<! 5l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
     Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
               Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 4 <: usize
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
             }
             <:
             Core.Ops.Range.t_Range usize)
         <:
         Core.Ops.Range.t_Range usize)
-      out
-      (fun out i ->
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in
-          let i:usize = i in
-          let product:(i32 & i32) =
-            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i
-                    <:
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i -! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let a_minus_b:i32 =
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
+                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                            <:
+                            i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let step:usize = sz 1 <<! 6l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i -! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let a_minus_b:i32 =
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
+                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                            <:
+                            i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let step:usize = sz 1 <<! 7l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i -! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let a_minus_b:i32 =
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -!
+                    (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
+                          (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                            <:
+                            i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
+                              (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                              <:
+                              i32)
+                          <:
+                          i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = () <: Prims.unit in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 8
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      re
+      (fun re i ->
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+          let i:usize = i in
+          {
+            re with
+            Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+            =
+            Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              i
+              (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re
+                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
+                    <:
+                    i32)
+                <:
+                i32)
+            <:
+            t_Array i32 (sz 256)
+          }
+          <:
+          Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+  in
+  re
+
+let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let _:Prims.unit = () <: Prims.unit in
+  let zeta_i:usize = sz 0 in
+  let zeta_i:usize = zeta_i +! sz 1 in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      re
+      (fun re j ->
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+          let j:usize = j in
+          let t:i32 =
+            (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ] <: i32) *!
+            (-1600l)
+          in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              re with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                (j +! sz 128 <: usize)
+                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              re with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                j
+                ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          re)
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 6l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 5l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 4l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 3l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 2l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 1l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    {
+      re with
+      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+      =
+      Core.Array.impl_23__map (sz 256)
+        re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+        Libcrux.Kem.Kyber.Arithmetic.barrett_reduce
+    }
+    <:
+    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+  in
+  re
+
+let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let _:Prims.unit = () <: Prims.unit in
+  let _:Prims.unit = () <: Prims.unit in
+  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO
+  in
+  let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end
+              =
+              Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 4 <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      out
+      (fun out i ->
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in
+          let i:usize = i in
+          let product:(i32 & i32) =
+            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i
+                    <:
                     usize ]
                   <:
                   i32),
                 (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
                     <:
-                    usize ]
-                  <:
-                  i32)
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i <: usize ] <: i32),
+                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
+                    <:
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
+          in
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                (sz 4 *! i <: usize)
+                product._1
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                ((sz 4 *! i <: usize) +! sz 1 <: usize)
+                product._2
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let product:(i32 & i32) =
+            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i
+                      <:
+                      usize) +!
+                    sz 2
+                    <:
+                    usize ]
+                  <:
+                  i32),
+                (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
+                    <:
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 2
+                    <:
+                    usize ]
+                  <:
+                  i32),
+                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
+                    <:
+                    usize ]
+                  <:
+                  i32)
+                <:
+                (i32 & i32))
+              (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
+                <:
+                i32)
+          in
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                ((sz 4 *! i <: usize) +! sz 2 <: usize)
+                product._1
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            {
+              out with
+              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              =
+              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                ((sz 4 *! i <: usize) +! sz 3 <: usize)
+                product._2
+            }
+            <:
+            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+          in
+          out)
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  out
+
+let ntt_vector_u
+      (v_VECTOR_U_COMPRESSION_FACTOR: usize)
+      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
+    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+  let _:Prims.unit = () <: Prims.unit in
+  let zeta_i:usize = sz 0 in
+  let step:usize = sz 1 <<! 7l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
                 <:
-                (i32 & i32))
-              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i <: usize ] <: i32),
-                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 6l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 5l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
+          in
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 4l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
+            }
+            <:
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
                     <:
-                    usize ]
-                  <:
-                  i32)
-                <:
-                (i32 & i32))
-              (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
-          in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                (sz 4 *! i <: usize)
-                product._1
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                ((sz 4 *! i <: usize) +! sz 1 <: usize)
-                product._2
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 3l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
-          in
-          let product:(i32 & i32) =
-            ntt_multiply_binomials ((left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i
-                      <:
-                      usize) +!
-                    sz 2
-                    <:
-                    usize ]
-                  <:
-                  i32),
-                (left.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
                     <:
-                    usize ]
-                  <:
-                  i32)
+                    Core.Ops.Range.t_Range usize)
                 <:
-                (i32 & i32))
-              ((right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 2
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
                     <:
-                    usize ]
-                  <:
-                  i32),
-                (right.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
                     <:
-                    usize ]
-                  <:
-                  i32)
-                <:
-                (i32 & i32))
-              (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32)
-                <:
-                i32)
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                ((sz 4 *! i <: usize) +! sz 2 <: usize)
-                product._1
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 2l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
           in
-          let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-            {
-              out with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                ((sz 4 *! i <: usize) +! sz 3 <: usize)
-                product._2
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+  in
+  let _:Prims.unit = () <: Prims.unit in
+  let step:usize = sz 1 <<! 1l in
+  let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
+    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+              Core.Ops.Range.f_start = sz 0;
+              Core.Ops.Range.f_end = sz 128 /! step <: usize
             }
             <:
-            Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+            Core.Ops.Range.t_Range usize)
+        <:
+        Core.Ops.Range.t_Range usize)
+      (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
+      (fun temp_0_ round ->
+          let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in
+          let round:usize = round in
+          let zeta_i:usize = zeta_i +! sz 1 in
+          let offset:usize = (round *! step <: usize) *! sz 2 in
+          let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
+                      Core.Ops.Range.f_start = offset;
+                      Core.Ops.Range.f_end = offset +! step <: usize
+                    }
+                    <:
+                    Core.Ops.Range.t_Range usize)
+                <:
+                Core.Ops.Range.t_Range usize)
+              re
+              (fun re j ->
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in
+                  let j:usize = j in
+                  let t:i32 =
+                    Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_sfe_by_fer (re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
+                        <:
+                        i32)
+                      (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        (j +! step <: usize)
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
+                    {
+                      re with
+                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      =
+                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                        j
+                        ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
+                    }
+                    <:
+                    Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement
+                  in
+                  re)
           in
-          out)
+          re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize))
   in
   let _:Prims.unit = () <: Prims.unit in
-  out
-
-let ntt_vector_u
-      (v_VECTOR_U_COMPRESSION_FACTOR: usize)
-      (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
-  let initial_coefficient_bound:i32 = Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS -! 1l in
-  let _:Prims.unit = () <: Prims.unit in
-  let zetas_index:usize = sz 0 in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 7uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 6uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 5uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 4uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 3uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, lhs:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 2uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let zetas_index:usize = lhs in
-  let _:Prims.unit = () in
-  let lhs, _:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) =
-    ntt_at_layer 1uy zetas_index re initial_coefficient_bound
-  in
-  let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = lhs in
-  let _:Prims.unit = () in
   let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement =
     {
       re with
diff --git a/src/kem/kyber/compress.rs b/src/kem/kyber/compress.rs
index 37c9f727b..b71694e8a 100644
--- a/src/kem/kyber/compress.rs
+++ b/src/kem/kyber/compress.rs
@@ -13,7 +13,6 @@ fn get_n_least_significant_bits(n: u8, value: u32) -> u32 {
 // The approach used in this function been taken from:
 // https://github.com/cloudflare/circl/blob/main/pke/kyber/internal/common/poly.go#L150
 #[cfg_attr(hax, hax_lib_macros::requires(fe < (FIELD_MODULUS as u16)))]
-#[inline(always)]
 pub(super) fn compress_message_coefficient(fe: u16) -> u8 {
     // If 833 <= fe <= 2496,
     // then -832 <= shifted <= 831
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 1c7c46feb..75fa49b4e 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -3,7 +3,7 @@ use super::{
         barrett_reduce, montgomery_multiply_sfe_by_fer, montgomery_reduce, FieldElement,
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
     },
-    constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
+    constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
 
 const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
@@ -17,69 +17,34 @@ const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
     -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628,
 ];
 
-#[inline(always)]
-fn ntt_at_layer(
-    layer: u8,
-    mut zetas_index: usize,
-    mut re: PolynomialRingElement,
-    initial_coefficient_bound: i32,
-) -> (PolynomialRingElement, usize) {
-    let step = 1 << layer;
-
-    for round in 0..(128 / step) {
-        zetas_index += 1;
-
-        let offset = round * step * 2;
-
-        for j in offset..offset + step {
-            let t = montgomery_multiply_sfe_by_fer(
-                re.coefficients[j + step],
-                ZETAS_TIMES_MONTGOMERY_R[zetas_index],
-            );
-            re.coefficients[j + step] = re.coefficients[j] - t;
-            re.coefficients[j] = re.coefficients[j] + t;
-        }
-    }
-
-    hax_lib::debug_assert!(re.coefficients.into_iter().all(|coefficient| {
-        coefficient.abs()
-            < initial_coefficient_bound + ((8 - (layer as i32)) * 3 * (FIELD_MODULUS / 2))
-    }));
-
-    (re, zetas_index)
-}
-
-#[inline(always)]
-fn invert_ntt_at_layer(
-    layer: u8,
-    mut zetas_index: usize,
-    mut re: PolynomialRingElement,
-    initial_coefficient_bound: i32,
-) -> (PolynomialRingElement, usize) {
-    let step = 1 << layer;
-
-    for round in 0..(128 / step) {
-        zetas_index -= 1;
+macro_rules! ntt_at_layer {
+    ($layer:literal, $zeta_i:ident, $re:ident, $initial_coefficient_bound:literal) => {
+        let step = 1 << $layer;
 
-        let offset = round * step * 2;
+        for round in 0..(128 / step) {
+            $zeta_i += 1;
 
-        for j in offset..offset + step {
-            let a_minus_b = re.coefficients[j + step] - re.coefficients[j];
+            let offset = round * step * 2;
 
-            // Instead of dividing by 2 here, we just divide by
-            // 2^7 in one go in the end.
-            re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step];
-            re.coefficients[j + step] =
-                montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[zetas_index]);
+            for j in offset..offset + step {
+                let t = montgomery_multiply_sfe_by_fer(
+                    $re.coefficients[j + step],
+                    ZETAS_TIMES_MONTGOMERY_R[$zeta_i],
+                );
+                $re.coefficients[j + step] = $re.coefficients[j] - t;
+                $re.coefficients[j] = $re.coefficients[j] + t;
+            }
         }
-    }
 
-    hax_lib::debug_assert!(re.coefficients[0].abs() < initial_coefficient_bound * (step as i32));
-    hax_lib::debug_assert!(re.coefficients[1].abs() < initial_coefficient_bound * (step as i32));
-
-    (re, zetas_index)
+        hax_lib::debug_assert!($re.coefficients.into_iter().all(|coefficient| {
+            coefficient.abs() < $initial_coefficient_bound + ((8 - $layer) * 3 * (3329 / 2))
+        }));
+    };
 }
 
+// Over time, all invocations of ntt_representation() will be replaced by
+// invocations to this function, upon which this function will be renamed back to
+// ntt_representation().
 #[inline(always)]
 pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     mut re: PolynomialRingElement,
@@ -89,11 +54,11 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
         .into_iter()
         .all(|coefficient| coefficient.abs() <= 3));
 
-    let mut zetas_index = 0;
+    let mut zeta_i = 0;
 
     // Due to the small coefficient bound, we can skip the first round of
     // montgomery reductions.
-    zetas_index += 1;
+    zeta_i += 1;
 
     for j in 0..128 {
         // Multiply by the appropriate zeta in the normal domain.
@@ -105,14 +70,14 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| { coefficient.abs() < 3 + (3 * (FIELD_MODULUS / 2)) }));
+        .all(|coefficient| { coefficient.abs() < 3 + ((3 * 3329) / 2) }));
 
-    (re, zetas_index) = ntt_at_layer(6, zetas_index, re, 3);
-    (re, zetas_index) = ntt_at_layer(5, zetas_index, re, 3);
-    (re, zetas_index) = ntt_at_layer(4, zetas_index, re, 3);
-    (re, zetas_index) = ntt_at_layer(3, zetas_index, re, 3);
-    (re, zetas_index) = ntt_at_layer(2, zetas_index, re, 3);
-    (re, _) = ntt_at_layer(1, zetas_index, re, 3);
+    ntt_at_layer!(6, zeta_i, re, 3);
+    ntt_at_layer!(5, zeta_i, re, 3);
+    ntt_at_layer!(4, zeta_i, re, 3);
+    ntt_at_layer!(3, zeta_i, re, 3);
+    ntt_at_layer!(2, zeta_i, re, 3);
+    ntt_at_layer!(1, zeta_i, re, 3);
 
     re.coefficients = re.coefficients.map(barrett_reduce);
 
@@ -123,21 +88,20 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
 pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize>(
     mut re: PolynomialRingElement,
 ) -> PolynomialRingElement {
-    let initial_coefficient_bound = FIELD_MODULUS - 1;
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient.abs() <= initial_coefficient_bound));
+        .all(|coefficient| coefficient.abs() <= 3328));
 
-    let mut zetas_index = 0;
+    let mut zeta_i = 0;
 
-    (re, zetas_index) = ntt_at_layer(7, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = ntt_at_layer(6, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = ntt_at_layer(5, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = ntt_at_layer(4, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = ntt_at_layer(3, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = ntt_at_layer(2, zetas_index, re, initial_coefficient_bound);
-    (re, _) = ntt_at_layer(1, zetas_index, re, initial_coefficient_bound);
+    ntt_at_layer!(7, zeta_i, re, 3328);
+    ntt_at_layer!(6, zeta_i, re, 3328);
+    ntt_at_layer!(5, zeta_i, re, 3328);
+    ntt_at_layer!(4, zeta_i, re, 3328);
+    ntt_at_layer!(3, zeta_i, re, 3328);
+    ntt_at_layer!(2, zeta_i, re, 3328);
+    ntt_at_layer!(1, zeta_i, re, 3328);
 
     re.coefficients = re.coefficients.map(barrett_reduce);
 
@@ -149,28 +113,53 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
     mut re: PolynomialRingElement,
 ) -> PolynomialRingElement {
     // We only ever call this function after matrix/vector multiplication
-    let initial_coefficient_bound = (K as i32) * FIELD_MODULUS;
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient.abs() < initial_coefficient_bound));
+        .all(|coefficient| coefficient.abs() < (K as i32) * 3329));
+
+    let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT / 2;
 
-    let mut zetas_index = COEFFICIENTS_IN_RING_ELEMENT / 2;
+    macro_rules! invert_ntt_at_layer {
+        ($layer:literal) => {
+            let step = 1 << $layer;
 
-    (re, zetas_index) = invert_ntt_at_layer(1, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = invert_ntt_at_layer(2, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = invert_ntt_at_layer(3, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = invert_ntt_at_layer(4, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = invert_ntt_at_layer(5, zetas_index, re, initial_coefficient_bound);
-    (re, zetas_index) = invert_ntt_at_layer(6, zetas_index, re, initial_coefficient_bound);
-    (re, _) = invert_ntt_at_layer(7, zetas_index, re, initial_coefficient_bound);
+            for round in 0..(128 / step) {
+                zeta_i -= 1;
+
+                let offset = round * step * 2;
+
+                for j in offset..offset + step {
+                    let a_minus_b = re.coefficients[j + step] - re.coefficients[j];
+
+                    // Instead of dividing by 2 here, we just divide by
+                    // 2^7 in one go in the end.
+                    re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step];
+                    re.coefficients[j + step] =
+                        montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[zeta_i]);
+                }
+            }
+        };
+    }
 
+    invert_ntt_at_layer!(1);
+    invert_ntt_at_layer!(2);
+    invert_ntt_at_layer!(3);
+    invert_ntt_at_layer!(4);
+    invert_ntt_at_layer!(5);
+    invert_ntt_at_layer!(6);
+    invert_ntt_at_layer!(7);
+
+    hax_lib::debug_assert!(
+        re.coefficients[0].abs() < 128 * (K as i32) * 3329
+            && re.coefficients[1].abs() < 128 * (K as i32) * 3329
+    );
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
         .enumerate()
         .skip(2)
-        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * FIELD_MODULUS));
+        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * 3329));
 
     for i in 0..8 {
         re.coefficients[i] = barrett_reduce(re.coefficients[i]);

From 75790517b4ba21168f187ada916df01cd68cad16 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Thu, 23 Nov 2023 18:06:28 -0500
Subject: [PATCH 13/24] Re-extract Kyber fstar code with latest
 karthik/core-for-kyber hax commit.

---
 .../Libcrux.Kem.Kyber.Arithmetic.fst          |   2 +-
 .../Libcrux.Kem.Kyber.Constant_time_ops.fst   |   2 +-
 .../Libcrux.Kem.Kyber.Conversions.fst         |   4 +-
 .../Libcrux.Kem.Kyber.Hash_functions.fst      |   2 +-
 .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst  |  48 +++---
 .../extraction/Libcrux.Kem.Kyber.Matrix.fst   |  20 +--
 .../extraction/Libcrux.Kem.Kyber.Ntt.fst      | 141 ++++++++++++------
 .../extraction/Libcrux.Kem.Kyber.Sampling.fst |  10 +-
 .../Libcrux.Kem.Kyber.Serialize.fst           | 127 +++++++++-------
 proofs/fstar/extraction/Libcrux.Kem.Kyber.fst |   6 +-
 10 files changed, 224 insertions(+), 138 deletions(-)

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
index ce2933c0d..c686da321 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
@@ -137,7 +137,7 @@ let add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) : t_Poly
             lhs with
             f_coefficients
             =
-            Rust_primitives.Hax.update_at lhs.f_coefficients
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs.f_coefficients
               i
               ((lhs.f_coefficients.[ i ] <: i32) +! (rhs.f_coefficients.[ i ] <: i32) <: i32)
             <:
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst
index fc8b9d3e5..55b10b855 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst
@@ -70,7 +70,7 @@ let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8)
       (fun out i ->
           let out:t_Array u8 (sz 32) = out in
           let i:usize = i in
-          Rust_primitives.Hax.update_at out
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
             i
             ((out.[ i ] <: u8) |.
               (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Conversions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Conversions.fst
index 6c69af2ca..24c7993a5 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Conversions.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Conversions.fst
@@ -21,7 +21,7 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) : t_Array u8 v_LEN =
   in
   let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in
   let out:t_Array u8 v_LEN =
-    Rust_primitives.Hax.update_at out
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
       ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Core.Slice.impl__len slice <: usize }
         <:
         Core.Ops.Range.t_Range usize)
@@ -60,7 +60,7 @@ let impl_1 (v_LEN: usize) : t_UpdatingArray (t_UpdatableArray v_LEN) =
           self with
           f_value
           =
-          Rust_primitives.Hax.update_at self.f_value
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_range self.f_value
             ({
                 Core.Ops.Range.f_start = self.f_pointer;
                 Core.Ops.Range.f_end
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst
index 18ce2a600..cf4ab6f5e 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst
@@ -28,7 +28,7 @@ let v_XOFx4 (v_LEN v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K)
       (fun out i ->
           let out:t_Array (t_Array u8 v_LEN) v_K = out in
           let i:usize = i in
-          Rust_primitives.Hax.update_at out
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
             i
             (Libcrux.Digest.shake128 v_LEN
                 (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8)
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
index 0f3c80dc9..f91e30e47 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst
@@ -61,7 +61,9 @@ let sample_vector_cbd_then_ntt
           in
           let i:usize = i in
           let prf_input:t_Array u8 (sz 33) =
-            Rust_primitives.Hax.update_at prf_input (sz 32) domain_separator
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input
+              (sz 32)
+              domain_separator
           in
           let domain_separator:u8 = domain_separator +! 1uy in
           let (prf_output: t_Array u8 v_ETA_RANDOMNESS_SIZE):t_Array u8 v_ETA_RANDOMNESS_SIZE =
@@ -73,7 +75,7 @@ let sample_vector_cbd_then_ntt
               (Rust_primitives.unsize prf_output <: t_Slice u8)
           in
           let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at re_as_ntt
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_as_ntt
               i
               (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element r
                 <:
@@ -138,18 +140,22 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
                   let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in
                   let j:usize = j in
                   let seeds:t_Array (t_Array u8 (sz 34)) v_K =
-                    Rust_primitives.Hax.update_at seeds
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds
                       j
-                      (Rust_primitives.Hax.update_at (seeds.[ j ] <: t_Array u8 (sz 34))
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ]
+                            <:
+                            t_Array u8 (sz 34))
                           (sz 32)
                           (cast (i <: usize) <: u8)
                         <:
                         t_Array u8 (sz 34))
                   in
                   let seeds:t_Array (t_Array u8 (sz 34)) v_K =
-                    Rust_primitives.Hax.update_at seeds
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds
                       j
-                      (Rust_primitives.Hax.update_at (seeds.[ j ] <: t_Array u8 (sz 34))
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ]
+                            <:
+                            t_Array u8 (sz 34))
                           (sz 33)
                           (cast (j <: usize) <: u8)
                         <:
@@ -197,9 +203,10 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
                 then
                   let v_A_transpose:t_Array
                     (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K =
-                    Rust_primitives.Hax.update_at v_A_transpose
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose
                       j
-                      (Rust_primitives.Hax.update_at (v_A_transpose.[ j ]
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j
+                            ]
                             <:
                             t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
                           i
@@ -214,9 +221,10 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool)
                 else
                   let v_A_transpose:t_Array
                     (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K =
-                    Rust_primitives.Hax.update_at v_A_transpose
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose
                       i
-                      (Rust_primitives.Hax.update_at (v_A_transpose.[ i ]
+                      (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i
+                            ]
                             <:
                             t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)
                           j
@@ -254,7 +262,7 @@ let compress_then_encode_u
       (fun out temp_1_ ->
           let out:t_Array u8 v_OUT_LEN = out in
           let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = temp_1_ in
-          Rust_primitives.Hax.update_at out
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
             ({
                 Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize;
                 Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize
@@ -306,7 +314,7 @@ let serialize_key
       (fun out temp_1_ ->
           let out:t_Array u8 v_OUT_LEN = out in
           let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = temp_1_ in
-          Rust_primitives.Hax.update_at out
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
             ({
                 Core.Ops.Range.f_start
                 =
@@ -391,7 +399,7 @@ let decrypt
               u_bytes
           in
           let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at u_as_ntt
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
               i
               (Libcrux.Kem.Kyber.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR u
                 <:
@@ -425,7 +433,7 @@ let decrypt
             secret_as_ntt
           in
           let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in
-          Rust_primitives.Hax.update_at secret_as_ntt
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt
             i
             (Libcrux.Kem.Kyber.Serialize.deserialize_to_uncompressed_ring_element secret_bytes
               <:
@@ -471,7 +479,7 @@ let encrypt
             tt_as_ntt
           in
           let i, tt_as_ntt_bytes:(usize & t_Slice u8) = temp_1_ in
-          Rust_primitives.Hax.update_at tt_as_ntt
+          Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
             i
             (Libcrux.Kem.Kyber.Serialize.deserialize_to_uncompressed_ring_element tt_as_ntt_bytes
               <:
@@ -524,7 +532,9 @@ let encrypt
           in
           let i:usize = i in
           let prf_input:t_Array u8 (sz 33) =
-            Rust_primitives.Hax.update_at prf_input (sz 32) domain_separator
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input
+              (sz 32)
+              domain_separator
           in
           let domain_separator:u8 = domain_separator +! 1uy in
           let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE =
@@ -532,7 +542,7 @@ let encrypt
               (Rust_primitives.unsize prf_input <: t_Slice u8)
           in
           let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at error_1_
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_
               i
               (Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2
                   (Rust_primitives.unsize prf_output <: t_Slice u8)
@@ -545,7 +555,7 @@ let encrypt
             t_Array u8 (sz 33)))
   in
   let prf_input:t_Array u8 (sz 33) =
-    Rust_primitives.Hax.update_at prf_input (sz 32) domain_separator
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator
   in
   let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE =
     Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE
@@ -581,7 +591,7 @@ let encrypt
       (Rust_primitives.unsize c1 <: t_Slice u8)
   in
   let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
-    Rust_primitives.Hax.update_at ciphertext
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext
       ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize)
       (Core.Slice.impl__copy_from_slice (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN }
               <:
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
index 753536b44..56df5efa5 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst
@@ -59,7 +59,7 @@ let compute_As_plus_e
                       (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                   in
                   let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-                    Rust_primitives.Hax.update_at result
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
                       i
                       (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
                           (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
@@ -93,13 +93,13 @@ let compute_As_plus_e
                       <:
                       i32)
                 in
-                Rust_primitives.Hax.update_at result
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
                   i
                   ({
                       (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at (result.[ i ]
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ]
                           <:
                           Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
@@ -185,7 +185,8 @@ let compute_message
               result with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 i
                 (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((v
                           .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
@@ -266,7 +267,8 @@ let compute_ring_element_v
               result with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 i
                 (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +!
                         (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
@@ -340,7 +342,7 @@ let compute_vector_u
                       (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                   in
                   let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-                    Rust_primitives.Hax.update_at result
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
                       i
                       (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
                           (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
@@ -351,7 +353,7 @@ let compute_vector_u
                   result)
           in
           let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at result
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
               i
               (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K
                   (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
@@ -386,13 +388,13 @@ let compute_vector_u
                       i32)
                 in
                 let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K =
-                  Rust_primitives.Hax.update_at result
+                  Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
                     i
                     ({
                         (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with
                         Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         =
-                        Rust_primitives.Hax.update_at (result.[ i ]
+                        Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ]
                             <:
                             Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)
                             .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
index fde6e6bb8..679a01f68 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ntt.fst
@@ -73,7 +73,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -90,7 +91,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -144,7 +146,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -161,7 +164,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -215,7 +219,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -232,7 +237,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -286,7 +292,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -303,7 +310,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -357,7 +365,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -374,7 +383,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -428,7 +438,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -445,7 +456,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -499,7 +511,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +!
                           (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ]
@@ -516,7 +529,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *!
                               (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32)
@@ -551,7 +565,8 @@ let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_Polyn
             re with
             Libcrux.Kem.Kyber.Arithmetic.f_coefficients
             =
-            Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               i
               (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re
                       .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
@@ -594,7 +609,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (j +! sz 128 <: usize)
                 ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
             }
@@ -606,7 +622,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 j
                 ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
             }
@@ -657,7 +674,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -669,7 +687,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -722,7 +741,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -734,7 +754,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -787,7 +808,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -799,7 +821,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -852,7 +875,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -864,7 +888,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -917,7 +942,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -929,7 +955,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -982,7 +1009,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -994,7 +1022,8 @@ let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1070,7 +1099,8 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingEleme
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 4 *! i <: usize)
                 product._1
             }
@@ -1082,7 +1112,8 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingEleme
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 1 <: usize)
                 product._2
             }
@@ -1126,7 +1157,8 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingEleme
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 2 <: usize)
                 product._1
             }
@@ -1138,7 +1170,8 @@ let ntt_multiply (left right: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingEleme
               out with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 3 <: usize)
                 product._2
             }
@@ -1197,7 +1230,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1209,7 +1243,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1262,7 +1297,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1274,7 +1310,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1327,7 +1364,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1339,7 +1377,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1392,7 +1431,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1404,7 +1444,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1457,7 +1498,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1469,7 +1511,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1522,7 +1565,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1534,7 +1578,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
@@ -1587,7 +1632,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         (j +! step <: usize)
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32)
                     }
@@ -1599,7 +1645,8 @@ let ntt_vector_u
                       re with
                       Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       =
-                      Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                      Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                         j
                         ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32)
                     }
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst
index ff83706d7..f01b6f26e 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst
@@ -63,7 +63,7 @@ let sample_from_binomial_distribution_2_ (randomness: t_Slice u8)
                     sampled with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                     =
-                    Rust_primitives.Hax.update_at sampled
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled
                         .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       ((sz 8 *! chunk_number <: usize) +! offset <: usize)
                       (outcome_1_ -! outcome_2_ <: i32)
@@ -131,7 +131,7 @@ let sample_from_binomial_distribution_3_ (randomness: t_Slice u8)
                     sampled with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                     =
-                    Rust_primitives.Hax.update_at sampled
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled
                         .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       ((sz 4 *! chunk_number <: usize) +! offset <: usize)
                       (outcome_1_ -! outcome_2_ <: i32)
@@ -202,7 +202,8 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
                     out with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                     =
-                    Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+                        .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       sampled_coefficients
                       d1
                   }
@@ -228,7 +229,8 @@ let sample_from_uniform_distribution (v_SEED_SIZE: usize) (randomness: t_Array u
                     out with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                     =
-                    Rust_primitives.Hax.update_at out.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+                        .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       sampled_coefficients
                       d2
                   }
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
index 0333b963a..b129fb45e 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Serialize.fst
@@ -54,12 +54,12 @@ let compress_then_serialize_10_
                 u16)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               (sz 5 *! i <: usize)
               (cast (coefficient1 &. 255l <: i32) <: u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 1 <: usize)
               (((cast (coefficient2 &. 63l <: i32) <: u8) <<! 2l <: u8) |.
                 (cast ((coefficient1 >>! 8l <: i32) &. 3l <: i32) <: u8)
@@ -67,7 +67,7 @@ let compress_then_serialize_10_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 2 <: usize)
               (((cast (coefficient3 &. 15l <: i32) <: u8) <<! 4l <: u8) |.
                 (cast ((coefficient2 >>! 6l <: i32) &. 15l <: i32) <: u8)
@@ -75,7 +75,7 @@ let compress_then_serialize_10_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 3 <: usize)
               (((cast (coefficient4 &. 3l <: i32) <: u8) <<! 6l <: u8) |.
                 (cast ((coefficient3 >>! 4l <: i32) &. 63l <: i32) <: u8)
@@ -83,7 +83,7 @@ let compress_then_serialize_10_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 4 <: usize)
               (cast ((coefficient4 >>! 2l <: i32) &. 255l <: i32) <: u8)
           in
@@ -170,12 +170,12 @@ let compress_then_serialize_11_
                 u16)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               (sz 11 *! i <: usize)
               (cast (coefficient1 <: i32) <: u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 1 <: usize)
               (((cast (coefficient2 &. 31l <: i32) <: u8) <<! 3l <: u8) |.
                 (cast (coefficient1 >>! 8l <: i32) <: u8)
@@ -183,7 +183,7 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 2 <: usize)
               (((cast (coefficient3 &. 3l <: i32) <: u8) <<! 6l <: u8) |.
                 (cast (coefficient2 >>! 5l <: i32) <: u8)
@@ -191,12 +191,12 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 3 <: usize)
               (cast ((coefficient3 >>! 2l <: i32) &. 255l <: i32) <: u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 4 <: usize)
               (((cast (coefficient4 &. 127l <: i32) <: u8) <<! 1l <: u8) |.
                 (cast (coefficient3 >>! 10l <: i32) <: u8)
@@ -204,7 +204,7 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 5 <: usize)
               (((cast (coefficient5 &. 15l <: i32) <: u8) <<! 4l <: u8) |.
                 (cast (coefficient4 >>! 7l <: i32) <: u8)
@@ -212,7 +212,7 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 6 <: usize)
               (((cast (coefficient6 &. 1l <: i32) <: u8) <<! 7l <: u8) |.
                 (cast (coefficient5 >>! 4l <: i32) <: u8)
@@ -220,12 +220,12 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 7 <: usize)
               (cast ((coefficient6 >>! 1l <: i32) &. 255l <: i32) <: u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 8 <: usize)
               (((cast (coefficient7 &. 63l <: i32) <: u8) <<! 2l <: u8) |.
                 (cast (coefficient6 >>! 9l <: i32) <: u8)
@@ -233,7 +233,7 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 9 <: usize)
               (((cast (coefficient8 &. 7l <: i32) <: u8) <<! 5l <: u8) |.
                 (cast (coefficient7 >>! 6l <: i32) <: u8)
@@ -241,7 +241,7 @@ let compress_then_serialize_11_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 11 *! i <: usize) +! sz 10 <: usize)
               (cast (coefficient8 >>! 3l <: i32) <: u8)
           in
@@ -296,7 +296,7 @@ let compress_then_serialize_4_
             u8
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               i
               ((coefficient2 <<! 4l <: u8) |. coefficient1 <: u8)
           in
@@ -423,12 +423,12 @@ let compress_then_serialize_5_
             u8
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               (sz 5 *! i <: usize)
               (((coefficient2 &. 7uy <: u8) <<! 5l <: u8) |. coefficient1 <: u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 1 <: usize)
               ((((coefficient4 &. 1uy <: u8) <<! 7l <: u8) |. (coefficient3 <<! 2l <: u8) <: u8) |.
                 (coefficient2 >>! 3l <: u8)
@@ -436,12 +436,12 @@ let compress_then_serialize_5_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 2 <: usize)
               (((coefficient5 &. 15uy <: u8) <<! 4l <: u8) |. (coefficient4 >>! 1l <: u8) <: u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 3 <: usize)
               ((((coefficient7 &. 3uy <: u8) <<! 6l <: u8) |. (coefficient6 <<! 1l <: u8) <: u8) |.
                 (coefficient5 >>! 4l <: u8)
@@ -449,7 +449,7 @@ let compress_then_serialize_5_
                 u8)
           in
           let serialized:t_Array u8 v_OUT_LEN =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 5 *! i <: usize) +! sz 4 <: usize)
               ((coefficient8 <<! 3l <: u8) |. (coefficient7 >>! 2l <: u8) <: u8)
           in
@@ -493,7 +493,7 @@ let compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_Polynomi
                 let coefficient_compressed:u8 =
                   Libcrux.Kem.Kyber.Compress.compress_message_coefficient coefficient
                 in
-                Rust_primitives.Hax.update_at serialized
+                Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
                   i
                   ((serialized.[ i ] <: u8) |. (coefficient_compressed <<! j <: u8) <: u8))
           <:
@@ -557,7 +557,8 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 4 *! i <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient1
                   <:
@@ -572,7 +573,8 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 1 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient2
                   <:
@@ -587,7 +589,8 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 2 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient3
                   <:
@@ -602,7 +605,8 @@ let deserialize_then_decompress_10_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 4 *! i <: usize) +! sz 3 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient4
                   <:
@@ -649,7 +653,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 8 *! i <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient1
                   <:
@@ -664,7 +669,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 1 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient2
                   <:
@@ -682,7 +688,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 2 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient3
                   <:
@@ -697,7 +704,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 3 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient4
                   <:
@@ -712,7 +720,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 4 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient5
                   <:
@@ -730,7 +739,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 5 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient6
                   <:
@@ -745,7 +755,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 6 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient7
                   <:
@@ -760,7 +771,8 @@ let deserialize_then_decompress_11_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 7 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient8
                   <:
@@ -796,7 +808,8 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 2 *! i <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 4uy coefficient1
                   <:
@@ -811,7 +824,8 @@ let deserialize_then_decompress_4_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 2 *! i <: usize) +! sz 1 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 4uy coefficient2
                   <:
@@ -852,7 +866,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 8 *! i <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient1
                   <:
@@ -867,7 +882,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 1 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient2
                   <:
@@ -882,7 +898,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 2 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient3
                   <:
@@ -897,7 +914,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 3 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient4
                   <:
@@ -912,7 +930,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 4 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient5
                   <:
@@ -927,7 +946,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 5 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient6
                   <:
@@ -942,7 +962,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 6 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient7
                   <:
@@ -957,7 +978,8 @@ let deserialize_then_decompress_5_ (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 8 *! i <: usize) +! sz 7 <: usize)
                 (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient8
                   <:
@@ -1006,7 +1028,8 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32))
                     re with
                     Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                     =
-                    Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+                    Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                        .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                       ((sz 8 *! i <: usize) +! j <: usize)
                       (Libcrux.Kem.Kyber.Compress.decompress_message_coefficient coefficient_compressed
 
@@ -1075,7 +1098,8 @@ let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 (sz 2 *! i <: usize)
                 (((byte2 &. 15l <: i32) <<! 8l <: i32) |. (byte1 &. 255l <: i32) <: i32)
             }
@@ -1087,7 +1111,8 @@ let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8)
               re with
               Libcrux.Kem.Kyber.Arithmetic.f_coefficients
               =
-              Rust_primitives.Hax.update_at re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
+              Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
                 ((sz 2 *! i <: usize) +! sz 1 <: usize)
                 ((byte3 <<! 4l <: i32) |. ((byte2 >>! 4l <: i32) &. 15l <: i32) <: i32)
             }
@@ -1125,12 +1150,12 @@ let serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
             Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32)
           in
           let serialized:t_Array u8 (sz 384) =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               (sz 3 *! i <: usize)
               (cast (coefficient1 &. 255us <: u16) <: u8)
           in
           let serialized:t_Array u8 (sz 384) =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 3 *! i <: usize) +! sz 1 <: usize)
               (cast ((coefficient1 >>! 8l <: u16) |. ((coefficient2 &. 15us <: u16) <<! 4l <: u16)
                     <:
@@ -1139,7 +1164,7 @@ let serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_Poly
                 u8)
           in
           let serialized:t_Array u8 (sz 384) =
-            Rust_primitives.Hax.update_at serialized
+            Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
               ((sz 3 *! i <: usize) +! sz 2 <: usize)
               (cast ((coefficient2 >>! 4l <: u16) &. 255us <: u16) <: u8)
           in
diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst
index ee4bb19bb..422424cee 100644
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst
+++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst
@@ -39,7 +39,7 @@ let decapsulate
       (Rust_primitives.unsize decrypted <: t_Slice u8)
   in
   let to_hash:t_Array u8 (sz 64) =
-    Rust_primitives.Hax.update_at to_hash
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
       ({ Core.Ops.Range.f_start = Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE }
         <:
         Core.Ops.Range.t_RangeFrom usize)
@@ -67,7 +67,7 @@ let decapsulate
       implicit_rejection_value
   in
   let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE =
-    Rust_primitives.Hax.update_at to_hash
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
       ({ Core.Ops.Range.f_start = Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE }
         <:
         Core.Ops.Range.t_RangeFrom usize)
@@ -114,7 +114,7 @@ let encapsulate
       (Rust_primitives.unsize randomness <: t_Slice u8)
   in
   let to_hash:t_Array u8 (sz 64) =
-    Rust_primitives.Hax.update_at to_hash
+    Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
       ({ Core.Ops.Range.f_start = Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE }
         <:
         Core.Ops.Range.t_RangeFrom usize)

From 19044b8c4cc9a2fa85c2fd29344dbe52e3de9dce Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 10:21:11 -0500
Subject: [PATCH 14/24] Fix fstar lax-typechecking.

---
 ...ibcrux.Kem.Kyber.Matrix_multiplication.fst | 470 ------------------
 1 file changed, 470 deletions(-)
 delete mode 100644 proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst

diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst
deleted file mode 100644
index 947004ace..000000000
--- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix_multiplication.fst
+++ /dev/null
@@ -1,470 +0,0 @@
-module Libcrux.Kem.Kyber.Matrix_multiplication
-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15"
-open Core
-open FStar.Mul
-
-let compute_As_plus_e
-      (v_K: usize)
-      (matrix_A:
-          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
-      (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
-  in
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-              (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A
-                    <:
-                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-                <:
-                Core.Slice.Iter.t_Iter
-                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-            <:
-            Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Slice.Iter.t_Iter
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-        <:
-        Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Slice.Iter.t_Iter
-          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-      result
-      (fun result temp_1_ ->
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            result
-          in
-          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-          =
-            temp_1_
-          in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-                      (Core.Slice.impl__iter (Rust_primitives.unsize row
-                            <:
-                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                        <:
-                        Core.Slice.Iter.t_Iter
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                    <:
-                    Core.Iter.Adapters.Enumerate.t_Enumerate
-                    (Core.Slice.Iter.t_Iter
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-                <:
-                Core.Iter.Adapters.Enumerate.t_Enumerate
-                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-              result
-              (fun result temp_1_ ->
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    result
-                  in
-                  let j, matrix_element:(usize &
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
-                    temp_1_
-                  in
-                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-                    Libcrux.Kem.Kyber.Ntt.ntt_multiply matrix_element
-                      (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    Rust_primitives.Hax.update_at result
-                      i
-                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
-                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                          )
-                          product
-                        <:
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  result)
-          in
-          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                    Core.Ops.Range.f_start = sz 0;
-                    Core.Ops.Range.f_end
-                    =
-                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        <:
-                        t_Slice i32)
-                    <:
-                    usize
-                  }
-                  <:
-                  Core.Ops.Range.t_Range usize)
-              <:
-              Core.Ops.Range.t_Range usize)
-            result
-            (fun result j ->
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                  result
-                in
-                let j:usize = j in
-                let coefficient_normal_form:i32 =
-                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                        <:
-                        i32) *!
-                      1353l
-                      <:
-                      i32)
-                in
-                Rust_primitives.Hax.update_at result
-                  i
-                  ({
-                      (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
-                      Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                      =
-                      Rust_primitives.Hax.update_at (result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        j
-                        (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
-                              ((error_as_ntt.[ i ]
-                                  <:
-                                  Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                                  .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                                <:
-                                i32)
-                              <:
-                              i32)
-                          <:
-                          i32)
-                      <:
-                      t_Array i32 (sz 256)
-                    }
-                    <:
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)))
-  in
-  result
-
-let compute_message
-      (v_K: usize)
-      (v: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-      (secret_as_ntt u_as_ntt:
-          t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = v_K
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            Libcrux.Kem.Kyber.Ntt.ntt_multiply (secret_as_ntt.[ i ]
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-              (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
-          in
-          result)
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Core.Slice.impl__len (Rust_primitives.unsize result
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                  <:
-                  t_Slice i32)
-              <:
-              usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let coefficient_normal_form:i32 =
-            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
-                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                  <:
-                  i32) *!
-                1441l
-                <:
-                i32)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            {
-              result with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                i
-                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((v
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                        <:
-                        i32) -!
-                      coefficient_normal_form
-                      <:
-                      i32)
-                  <:
-                  i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-          in
-          result)
-  in
-  result
-
-let compute_ring_element_v
-      (v_K: usize)
-      (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-      (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-    : Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end = v_K
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            Libcrux.Kem.Kyber.Ntt.ntt_multiply (tt_as_ntt.[ i ]
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-              (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product
-          in
-          result)
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result
-  in
-  let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-              Core.Ops.Range.f_start = sz 0;
-              Core.Ops.Range.f_end
-              =
-              Core.Slice.impl__len (Rust_primitives.unsize result
-                      .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                  <:
-                  t_Slice i32)
-              <:
-              usize
-            }
-            <:
-            Core.Ops.Range.t_Range usize)
-        <:
-        Core.Ops.Range.t_Range usize)
-      result
-      (fun result i ->
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement = result in
-          let i:usize = i in
-          let coefficient_normal_form:i32 =
-            Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result
-                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]
-                  <:
-                  i32) *!
-                1441l
-                <:
-                i32)
-          in
-          let result:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-            {
-              result with
-              Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-              =
-              Rust_primitives.Hax.update_at result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                i
-                (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +!
-                        (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
-                        <:
-                        i32) +!
-                      (message.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32)
-                      <:
-                      i32)
-                  <:
-                  i32)
-            }
-            <:
-            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-          in
-          result)
-  in
-  result
-
-let compute_vector_u
-      (v_K: usize)
-      (a_as_ntt:
-          t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K) v_K)
-      (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-    : t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__KyberPolynomialRingElement__ZERO
-      v_K
-  in
-  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-    Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-              (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt
-                    <:
-                    t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-                <:
-                Core.Slice.Iter.t_Iter
-                (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K))
-            <:
-            Core.Iter.Adapters.Enumerate.t_Enumerate
-            (Core.Slice.Iter.t_Iter
-              (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-        <:
-        Core.Iter.Adapters.Enumerate.t_Enumerate
-        (Core.Slice.Iter.t_Iter
-          (t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)))
-      result
-      (fun result temp_1_ ->
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            result
-          in
-          let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K)
-          =
-            temp_1_
-          in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate
-                      (Core.Slice.impl__iter (Rust_primitives.unsize row
-                            <:
-                            t_Slice Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                        <:
-                        Core.Slice.Iter.t_Iter
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                    <:
-                    Core.Iter.Adapters.Enumerate.t_Enumerate
-                    (Core.Slice.Iter.t_Iter
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-                <:
-                Core.Iter.Adapters.Enumerate.t_Enumerate
-                (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement))
-              result
-              (fun result temp_1_ ->
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    result
-                  in
-                  let j, a_element:(usize &
-                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) =
-                    temp_1_
-                  in
-                  let product:Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement =
-                    Libcrux.Kem.Kyber.Ntt.ntt_multiply a_element
-                      (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                    Rust_primitives.Hax.update_at result
-                      i
-                      (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K
-                          (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement
-                          )
-                          product
-                        <:
-                        Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                  in
-                  result)
-          in
-          let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-            Rust_primitives.Hax.update_at result
-              i
-              (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K
-                  (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                <:
-                Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-          in
-          Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
-                    Core.Ops.Range.f_start = sz 0;
-                    Core.Ops.Range.f_end
-                    =
-                    Core.Slice.impl__len (Rust_primitives.unsize (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        <:
-                        t_Slice i32)
-                    <:
-                    usize
-                  }
-                  <:
-                  Core.Ops.Range.t_Range usize)
-              <:
-              Core.Ops.Range.t_Range usize)
-            result
-            (fun result j ->
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                  result
-                in
-                let j:usize = j in
-                let coefficient_normal_form:i32 =
-                  Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ]
-                          <:
-                          Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                          .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                        <:
-                        i32) *!
-                      1441l
-                      <:
-                      i32)
-                in
-                let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement v_K =
-                  Rust_primitives.Hax.update_at result
-                    i
-                    ({
-                        (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement) with
-                        Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                        =
-                        Rust_primitives.Hax.update_at (result.[ i ]
-                            <:
-                            Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                            .Libcrux.Kem.Kyber.Arithmetic.f_coefficients
-                          j
-                          (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +!
-                                ((error_1_.[ i ]
-                                    <:
-                                    Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                                    .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]
-                                  <:
-                                  i32)
-                                <:
-                                i32)
-                            <:
-                            i32)
-                        <:
-                        t_Array i32 (sz 256)
-                      }
-                      <:
-                      Libcrux.Kem.Kyber.Arithmetic.t_KyberPolynomialRingElement)
-                in
-                result))
-  in
-  result

From 0637fcac856fa994bddb512a2576e1d45aca12b1 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 10:38:34 -0500
Subject: [PATCH 15/24] Add comments to ntt.rs.

---
 src/kem/kyber/matrix.rs |  3 +--
 src/kem/kyber/ntt.rs    | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/src/kem/kyber/matrix.rs b/src/kem/kyber/matrix.rs
index 8ae35451b..61f2ea7bd 100644
--- a/src/kem/kyber/matrix.rs
+++ b/src/kem/kyber/matrix.rs
@@ -9,8 +9,7 @@ use super::{
 
 /// This file contains functions that compute various expressions involving
 /// vectors and matrices. The computation of these expressions has been
-/// abstracted away into these functions in order to save on loop iterations
-/// and make the code run faster.
+/// abstracted away into these functions in order to save on loop iterations.
 
 /// Compute v − NTT^{−1}(sˆT ◦ NTT(u))
 #[inline(always)]
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 75fa49b4e..550749cc2 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -17,6 +17,8 @@ const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
     -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628,
 ];
 
+/// Represents an intermediate polynomial splitting step. All resulting coefficients
+/// are in the normal domain since the zetas have been multiplied by MONTGOMERY_R.
 macro_rules! ntt_at_layer {
     ($layer:literal, $zeta_i:ident, $re:ident, $initial_coefficient_bound:literal) => {
         let step = 1 << $layer;
@@ -42,9 +44,10 @@ macro_rules! ntt_at_layer {
     };
 }
 
-// Over time, all invocations of ntt_representation() will be replaced by
-// invocations to this function, upon which this function will be renamed back to
-// ntt_representation().
+/// This is the first of two functions that computes the NTT representation of
+/// ring elements. This one operates only on those which were produced by binomial
+/// sampling, and thus those which have small coefficients. The small
+/// coefficients let us skip the first round of Montgomery reductions.
 #[inline(always)]
 pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     mut re: PolynomialRingElement,
@@ -57,7 +60,7 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     let mut zeta_i = 0;
 
     // Due to the small coefficient bound, we can skip the first round of
-    // montgomery reductions.
+    // Montgomery reductions.
     zeta_i += 1;
 
     for j in 0..128 {
@@ -84,6 +87,9 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     re
 }
 
+/// This is the second of two functions that computes the NTT representation of
+/// ring elements. This one operates on the ring element that partly constitutes
+/// the ciphertext.
 #[inline(always)]
 pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usize>(
     mut re: PolynomialRingElement,
@@ -108,6 +114,8 @@ pub(in crate::kem::kyber) fn ntt_vector_u<const VECTOR_U_COMPRESSION_FACTOR: usi
     re
 }
 
+/// Compute the inverse NTT. The coefficients of the output ring element are in
+/// the Montgomery domain.
 #[inline(always)]
 pub(crate) fn invert_ntt_montgomery<const K: usize>(
     mut re: PolynomialRingElement,
@@ -179,6 +187,8 @@ fn ntt_multiply_binomials(
     )
 }
 
+/// Multiply two polynomial ring elements in the NTT domain. The output coefficients
+/// are in the Montgomery domain.
 #[inline(always)]
 pub(crate) fn ntt_multiply(
     left: &PolynomialRingElement,

From aaba34687ddc21b6a8ef5e769ea568764b915a53 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 11:02:54 -0500
Subject: [PATCH 16/24] Add lax typechecking to CI.

---
 .github/workflows/hax.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index da9fe0183..12732f239 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -56,15 +56,15 @@ jobs:
         run: |
           eval $(opam env)
           ./hax-driver.py --kyber-reference
-          # Extract the functions in the compress module individually to test
-          # the function-extraction code.
-          # Extract functions from the remaining modules to test the
-          # module-extraction code.
           ./hax-driver.py --crate-path specs/kyber \
+            # Extract the functions in the compress module individually to test
+            # the function-extraction code.
             --functions hacspec_kyber::compress::compress \
                         hacspec_kyber::compress::decompress \
                         hacspec_kyber::compress::compress_d \
                         hacspec::kyber::compress::decompress_d \
+            # Extract functions from the remaining modules to test the
+            # module-extraction code.
             --modules ind_cpa \
                       hacspec_kyber \
                       matrix \
@@ -73,3 +73,4 @@ jobs:
                       sampling \
                       serialize \
             --exclude-modules libcrux::hacl::sha3 libcrux::digest
+           ./hax-driver.py typecheck --admit

From c23ba2e0311f966fbd6a5d13091f0a884dc0af61 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 11:21:46 -0500
Subject: [PATCH 17/24] 3329 -> FIELD_MODULUS in ntt.rs and update paths in
 hax.yml

---
 .github/workflows/hax.yml |  6 ++----
 src/kem/kyber/ntt.rs      | 19 ++++++++++---------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index 12732f239..1f9536dbc 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -5,15 +5,13 @@ on:
     branches: ["dev"]
     paths:
       - 'specs/kyber/src/**'
-      - 'src/kem/kyber768/**'
-      - 'src/kem/kyber768.rs'
+      - 'src/kem/kyber/**'
 
   pull_request:
     branches: ["dev"]
     paths:
       - 'specs/kyber/src/**'
-      - 'src/kem/kyber768/**'
-      - 'src/kem/kyber768.rs'
+      - 'src/kem/kyber/**'
 
   schedule:
     - cron: '0 0 * * *'
diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index 550749cc2..bc1d4fe15 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -3,7 +3,7 @@ use super::{
         barrett_reduce, montgomery_multiply_sfe_by_fer, montgomery_reduce, FieldElement,
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
     },
-    constants::COEFFICIENTS_IN_RING_ELEMENT,
+    constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
 };
 
 const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
@@ -39,7 +39,8 @@ macro_rules! ntt_at_layer {
         }
 
         hax_lib::debug_assert!($re.coefficients.into_iter().all(|coefficient| {
-            coefficient.abs() < $initial_coefficient_bound + ((8 - $layer) * 3 * (3329 / 2))
+            coefficient.abs()
+                < $initial_coefficient_bound + ((8 - $layer) * ((3 * FIELD_MODULUS) / 2))
         }));
     };
 }
@@ -73,7 +74,7 @@ pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element(
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| { coefficient.abs() < 3 + ((3 * 3329) / 2) }));
+        .all(|coefficient| { coefficient.abs() < 3 + ((3 * FIELD_MODULUS) / 2) }));
 
     ntt_at_layer!(6, zeta_i, re, 3);
     ntt_at_layer!(5, zeta_i, re, 3);
@@ -124,7 +125,7 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient.abs() < (K as i32) * 3329));
+        .all(|coefficient| coefficient.abs() < (K as i32) * FIELD_MODULUS));
 
     let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT / 2;
 
@@ -159,15 +160,15 @@ pub(crate) fn invert_ntt_montgomery<const K: usize>(
     invert_ntt_at_layer!(7);
 
     hax_lib::debug_assert!(
-        re.coefficients[0].abs() < 128 * (K as i32) * 3329
-            && re.coefficients[1].abs() < 128 * (K as i32) * 3329
+        re.coefficients[0].abs() < 128 * (K as i32) * FIELD_MODULUS
+            && re.coefficients[1].abs() < 128 * (K as i32) * FIELD_MODULUS
     );
     hax_lib::debug_assert!(re
         .coefficients
         .into_iter()
         .enumerate()
         .skip(2)
-        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * 3329));
+        .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * FIELD_MODULUS));
 
     for i in 0..8 {
         re.coefficients[i] = barrett_reduce(re.coefficients[i]);
@@ -201,7 +202,7 @@ pub(crate) fn ntt_multiply(
     hax_lib::debug_assert!(right
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient >= -3329 && coefficient <= 3329));
+        .all(|coefficient| coefficient >= -FIELD_MODULUS && coefficient <= FIELD_MODULUS));
 
     let mut out = PolynomialRingElement::ZERO;
 
@@ -226,7 +227,7 @@ pub(crate) fn ntt_multiply(
     hax_lib::debug_assert!(out
         .coefficients
         .into_iter()
-        .all(|coefficient| coefficient >= -3329 && coefficient <= 3329));
+        .all(|coefficient| coefficient >= -FIELD_MODULUS && coefficient <= FIELD_MODULUS));
 
     out
 }

From ce756a665514a025464cc93d62a41586a68b8ec0 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 11:23:02 -0500
Subject: [PATCH 18/24] Add cfg guard in ntt.rs

---
 src/kem/kyber/ntt.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/kem/kyber/ntt.rs b/src/kem/kyber/ntt.rs
index bc1d4fe15..e13312b5a 100644
--- a/src/kem/kyber/ntt.rs
+++ b/src/kem/kyber/ntt.rs
@@ -3,9 +3,12 @@ use super::{
         barrett_reduce, montgomery_multiply_sfe_by_fer, montgomery_reduce, FieldElement,
         FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement,
     },
-    constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS},
+    constants::COEFFICIENTS_IN_RING_ELEMENT,
 };
 
+#[cfg(not(hax))]
+use super::constants::FIELD_MODULUS;
+
 const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [
     -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468,
     573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571,

From 180e67c1f15e71cb42293c9e9faa3cd1996c21f6 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 11:46:48 -0500
Subject: [PATCH 19/24] Fixed silly mistake in hax.yml

---
 .github/workflows/hax.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index 1f9536dbc..0aad9efd6 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -54,15 +54,15 @@ jobs:
         run: |
           eval $(opam env)
           ./hax-driver.py --kyber-reference
+          # Extract the functions in the compress module individually to test
+          # the function-extraction code.
+          # Extract functions from the remaining modules to test the
+          # module-extraction code.
           ./hax-driver.py --crate-path specs/kyber \
-            # Extract the functions in the compress module individually to test
-            # the function-extraction code.
             --functions hacspec_kyber::compress::compress \
                         hacspec_kyber::compress::decompress \
                         hacspec_kyber::compress::compress_d \
                         hacspec::kyber::compress::decompress_d \
-            # Extract functions from the remaining modules to test the
-            # module-extraction code.
             --modules ind_cpa \
                       hacspec_kyber \
                       matrix \

From 063f95fcaee86f3c8b5ab5d149ecf96dda02acc6 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 12:46:04 -0500
Subject: [PATCH 20/24] Get Fstar binaries in hax.yml.

---
 .github/workflows/hax.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index 0aad9efd6..d2b3cb96b 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -37,6 +37,13 @@ jobs:
         with:
           ocaml-compiler: 4.14.1
 
+      - name: ⤵ Get Fstar binaries
+        run: |
+          curl -L https://github.com/FStarLang/FStar/releases/download/v2023.09.03/fstar_2023.09.03_Linux_x86_64.tar.gz \
+            --output Fstar.tar.gz \
+          tar --extract --verbose --file Fstar.tar.gz
+          mv fstar Fstar
+
       - name: ⤵ Clone hax repository
         uses: actions/checkout@v4
         with:

From f50ef7e339a57ff71e15dea6be8c9b8377101a97 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 12:49:08 -0500
Subject: [PATCH 21/24] Remove spurious slash in hax.yml

---
 .github/workflows/hax.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index d2b3cb96b..abcfcf2d0 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -40,7 +40,7 @@ jobs:
       - name: ⤵ Get Fstar binaries
         run: |
           curl -L https://github.com/FStarLang/FStar/releases/download/v2023.09.03/fstar_2023.09.03_Linux_x86_64.tar.gz \
-            --output Fstar.tar.gz \
+            --output Fstar.tar.gz
           tar --extract --verbose --file Fstar.tar.gz
           mv fstar Fstar
 

From 48c942d21208876a7bcea026bf14c999618b2e03 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 13:28:19 -0500
Subject: [PATCH 22/24] Debug hax ci

---
 .github/workflows/hax.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index abcfcf2d0..ab4db07d7 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -41,8 +41,11 @@ jobs:
         run: |
           curl -L https://github.com/FStarLang/FStar/releases/download/v2023.09.03/fstar_2023.09.03_Linux_x86_64.tar.gz \
             --output Fstar.tar.gz
-          tar --extract --verbose --file Fstar.tar.gz
+          tar --extract --file Fstar.tar.gz
           mv fstar Fstar
+          ls /home/runner/work
+          ls /home/runner/work/libcrux/libcrux/../hax/proof-libs/fstar/../../../
+          false
 
       - name: ⤵ Clone hax repository
         uses: actions/checkout@v4

From 7bbb4723b8b502996e1503936ae82d36c281c824 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 13:31:25 -0500
Subject: [PATCH 23/24] Debug hax ci

---
 .github/workflows/hax.yml | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index ab4db07d7..c80b6d385 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -42,10 +42,12 @@ jobs:
           curl -L https://github.com/FStarLang/FStar/releases/download/v2023.09.03/fstar_2023.09.03_Linux_x86_64.tar.gz \
             --output Fstar.tar.gz
           tar --extract --file Fstar.tar.gz
-          mv fstar Fstar
-          ls /home/runner/work
-          ls /home/runner/work/libcrux/libcrux/../hax/proof-libs/fstar/../../../
-          false
+
+      - name: ⤵ Clone HACL-star repository
+        uses: actions/checkout@v4
+        with:
+          repository: hacl-star/hacl-star
+          path: hacl-star
 
       - name: ⤵ Clone hax repository
         uses: actions/checkout@v4
@@ -60,12 +62,20 @@ jobs:
           sudo apt-get install --yes nodejs
           ./setup.sh
 
-      - name: 🏃🏻‍♀️ Run hax extraction
+      - name: 🏃 Extract and lax-typecheck the Kyber reference code
         run: |
           eval $(opam env)
           ./hax-driver.py --kyber-reference
+          env FSTAR_HOME=${{ github.workspace }}/fstar \
+              HACL_HOME=${{ github.workspace }}/hacl-star \
+              HAX_LIBS_HOME=${{ github.workspace }}/hax/proof-libs/fstar \
+              PATH="${PATH}:${{ github.workspace }}/fstar/bin" \
+              ./hax-driver.py typecheck --admit
+
+      - name: 🏃 Extract the Kyber specification
+        run: |
           # Extract the functions in the compress module individually to test
-          # the function-extraction code.
+            # the function-extraction code.
           # Extract functions from the remaining modules to test the
           # module-extraction code.
           ./hax-driver.py --crate-path specs/kyber \
@@ -81,4 +91,3 @@ jobs:
                       sampling \
                       serialize \
             --exclude-modules libcrux::hacl::sha3 libcrux::digest
-           ./hax-driver.py typecheck --admit

From be406ddf9cafc9645011c279ad448a35ef41de17 Mon Sep 17 00:00:00 2001
From: xvzcf <xvzcf@users.noreply.github.com>
Date: Fri, 24 Nov 2023 16:00:00 -0500
Subject: [PATCH 24/24] CI should work now?

---
 .github/workflows/hax.yml |  1 +
 hax-driver.py             | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml
index c80b6d385..98d1038ac 100644
--- a/.github/workflows/hax.yml
+++ b/.github/workflows/hax.yml
@@ -74,6 +74,7 @@ jobs:
 
       - name: 🏃 Extract the Kyber specification
         run: |
+          eval $(opam env)
           # Extract the functions in the compress module individually to test
             # the function-extraction code.
           # Extract functions from the remaining modules to test the
diff --git a/hax-driver.py b/hax-driver.py
index 11e483d3c..8d72fbfcc 100755
--- a/hax-driver.py
+++ b/hax-driver.py
@@ -130,12 +130,16 @@ def shell(command, expect=0, cwd=None, env={}):
 cargo_hax_into = ["cargo", "hax", "into"]
 hax_env = {}
 
+exclude_sha3_implementations = "-libcrux::hacl::sha3::** -libcrux::jasmin::sha3::**"
+
 if options.kyber_reference:
     shell(
         cargo_hax_into
         + [
             "-i",
-            "-** +libcrux::kem::kyber::** -libcrux::hacl::sha3::** -libcrux::digest::** -libcrux::**::types::index_impls::**",
+            "-** +libcrux::kem::kyber::** {} -libcrux::digest::** -libcrux::**::types::index_impls::**".format(
+                exclude_sha3_implementations
+            ),
             "fstar",
         ],
         cwd=".",
@@ -146,7 +150,9 @@ def shell(command, expect=0, cwd=None, env={}):
         cargo_hax_into
         + [
             "-i",
-            "-** +compress::* +ind_cpa::* +hacspec_kyber::* +matrix::* +ntt::* +parameters::* +sampling::* +serialize::* -libcrux::hacl::sha3::* -libcrux::digest::*",
+            "-** +compress::* +ind_cpa::* +hacspec_kyber::* +matrix::* +ntt::* +parameters::* +sampling::* +serialize::* {} -libcrux::digest::*".format(
+                exclude_sha3_implementations
+            ),
             "fstar",
         ],
         cwd=os.path.join("specs", "kyber"),