Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More kyber code refactoring #135

Merged
merged 24 commits into from
Nov 25, 2023
Merged

More kyber code refactoring #135

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
df46ee4
Break out matrix multiplication code in ntt.rs.
xvzcf Nov 20, 2023
da0f6cc
KyberPolynomialRingElement -> PolynomialRingElement.
xvzcf Nov 20, 2023
0e4d182
KyberFieldElement -> FieldElement.
xvzcf Nov 20, 2023
81369f8
Added some types related to montgomery reduction
xvzcf Nov 20, 2023
0f79ee7
FieldElement -> StandardFieldElement.
xvzcf Nov 20, 2023
c9bd0db
More annotating with type aliases.
xvzcf Nov 21, 2023
710f698
cbd -> sample_vector_cbd_then_ntt.
xvzcf Nov 21, 2023
1da97ad
Make message compression and decompression constant time.
xvzcf Nov 22, 2023
24be1ba
Refine preconditions in compress.
xvzcf Nov 22, 2023
2c3b985
Convert (invert_)ntt_at_layer macros to functions.
xvzcf Nov 22, 2023
9731506
Review comments.
xvzcf Nov 23, 2023
96787ce
Revert "Convert (invert_)ntt_at_layer macros to functions."
xvzcf Nov 23, 2023
7579051
Re-extract Kyber fstar code with latest karthik/core-for-kyber hax co…
xvzcf Nov 23, 2023
19044b8
Fix fstar lax-typechecking.
xvzcf Nov 24, 2023
0637fca
Add comments to ntt.rs.
xvzcf Nov 24, 2023
aaba346
Add lax typechecking to CI.
xvzcf Nov 24, 2023
c23ba2e
3329 -> FIELD_MODULUS in ntt.rs and update paths in hax.yml
xvzcf Nov 24, 2023
ce756a6
Add cfg guard in ntt.rs
xvzcf Nov 24, 2023
180e67c
Fixed silly mistake in hax.yml
xvzcf Nov 24, 2023
063f95f
Get Fstar binaries in hax.yml.
xvzcf Nov 24, 2023
f50ef7e
Remove spurious slash in hax.yml
xvzcf Nov 24, 2023
48c942d
Debug hax ci
xvzcf Nov 24, 2023
7bbb472
Debug hax ci
xvzcf Nov 24, 2023
be406dd
CI should work now?
xvzcf Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 18 additions & 9 deletions proofs/fstar/extraction/Libcrux.Kem.Kyber.Arithmetic.fst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,13 @@ open Core
open FStar.Mul

unfold
let t_KyberFieldElement = i32
let t_FieldElementTimesMontgomeryR = i32

unfold
let t_MontgomeryFieldElement = i32

unfold
let t_StandardFieldElement = i32

let v_BARRETT_MULTIPLIER: i64 = 20159L

Expand Down Expand Up @@ -80,6 +86,10 @@ let montgomery_reduce (value: i32)
let value_high:i32 = value >>! v_MONTGOMERY_SHIFT in
value_high -! c

let montgomery_multiply_sfe_by_fer (fe fer: i32) : i32 = montgomery_reduce (fe *! fer <: i32)

let to_standard_domain (mfe: i32) : i32 = montgomery_reduce (mfe *! 1353l <: i32)

let to_unsigned_representative (fe: i32)
: Prims.Pure u16
(requires
Expand All @@ -95,16 +105,15 @@ let to_unsigned_representative (fe: i32)
<:
u16

type t_KyberPolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) }
type t_PolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) }

let impl__KyberPolynomialRingElement__ZERO: t_KyberPolynomialRingElement =
{ f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_KyberPolynomialRingElement
let impl__PolynomialRingElement__ZERO: t_PolynomialRingElement =
{ f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_PolynomialRingElement

let add_to_ring_element (v_K: usize) (lhs rhs: t_KyberPolynomialRingElement)
: t_KyberPolynomialRingElement =
let add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) : t_PolynomialRingElement =
let _:Prims.unit = () <: Prims.unit in
let _:Prims.unit = () <: Prims.unit in
let lhs:t_KyberPolynomialRingElement =
let lhs:t_PolynomialRingElement =
Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({
Core.Ops.Range.f_start = sz 0;
Core.Ops.Range.f_end
Expand All @@ -119,7 +128,7 @@ let add_to_ring_element (v_K: usize) (lhs rhs: t_KyberPolynomialRingElement)
Core.Ops.Range.t_Range usize)
lhs
(fun lhs i ->
let lhs:t_KyberPolynomialRingElement = lhs in
let lhs:t_PolynomialRingElement = lhs in
let i:usize = i in
{
lhs with
Expand All @@ -132,7 +141,7 @@ let add_to_ring_element (v_K: usize) (lhs rhs: t_KyberPolynomialRingElement)
t_Array i32 (sz 256)
}
<:
t_KyberPolynomialRingElement)
t_PolynomialRingElement)
in
let _:Prims.unit = () <: Prims.unit in
lhs
29 changes: 23 additions & 6 deletions proofs/fstar/extraction/Libcrux.Kem.Kyber.Compress.fst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,31 @@ module Libcrux.Kem.Kyber.Compress
open Core
open FStar.Mul

let compress_message_coefficient (fe: u16)
: Prims.Pure u8
(requires fe <. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
(fun _ -> Prims.l_True) =
let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in
let shifted_to_positive:i16 = (shifted >>! 15l <: i16) ^. shifted in
let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in
cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8

let get_n_least_significant_bits (n: u8) (value: u32)
: Prims.Pure u32
(requires n >. 0uy && n <=. 11uy)
(requires n =. 4uy || n =. 5uy || n =. 10uy || n =. 11uy)
(ensures
fun result ->
let result:u32 = result in
result <. (Core.Num.impl__u32__pow 2ul (Core.Convert.f_into n <: u32) <: u32)) =
let _:Prims.unit = () <: Prims.unit in
value &. ((1ul <<! n <: u32) -! 1ul <: u32)

let compress_q (coefficient_bits: u8) (fe: u16)
let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16)
: Prims.Pure i32
(requires
coefficient_bits >. 0uy && coefficient_bits <=. 11uy &&
fe <=. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
(coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy ||
coefficient_bits =. 11uy) &&
fe <. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16))
(ensures
fun result ->
let result:i32 = result in
Expand All @@ -34,10 +44,12 @@ let compress_q (coefficient_bits: u8) (fe: u16)
in
cast (get_n_least_significant_bits coefficient_bits compressed <: u32) <: i32

let decompress_q (coefficient_bits: u8) (fe: i32)
let decompress_ciphertext_coefficient (coefficient_bits: u8) (fe: i32)
: Prims.Pure i32
(requires
coefficient_bits >. 0uy && coefficient_bits <=. 11uy && fe >=. 0l &&
(coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy ||
coefficient_bits =. 11uy) &&
fe >=. 0l &&
fe <. (Core.Num.impl__i32__pow 2l (cast (coefficient_bits <: u8) <: u32) <: i32))
(ensures
fun result ->
Expand All @@ -51,3 +63,8 @@ let decompress_q (coefficient_bits: u8) (fe: i32)
let decompressed:u32 = (decompressed <<! 1l <: u32) +! (1ul <<! coefficient_bits <: u32) in
let decompressed:u32 = decompressed >>! (coefficient_bits +! 1uy <: u8) in
cast (decompressed <: u32) <: i32

let decompress_message_coefficient (fe: i32)
: Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) =
(Core.Ops.Arith.Neg.neg fe <: i32) &.
((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32)
Loading