From 436d7fe3932e25bba2ed2722dfd1df41179a3703 Mon Sep 17 00:00:00 2001 From: Maxime Buyse Date: Mon, 20 Jan 2025 12:39:40 +0100 Subject: [PATCH] Adapt to new hax ordering. --- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 396 ++--- .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 38 +- .../Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti | 18 +- .../Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti | 18 +- .../Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti | 18 +- .../extraction/Libcrux_ml_dsa.Constants.fst | 58 +- .../extraction/Libcrux_ml_dsa.Constants.fsti | 86 +- .../Libcrux_ml_dsa.Encoding.Error.fst | 100 +- .../Libcrux_ml_dsa.Encoding.Error.fsti | 16 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 104 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fsti | 16 +- .../Libcrux_ml_dsa.Encoding.Signature.fst | 232 +-- .../Libcrux_ml_dsa.Encoding.Signature.fsti | 22 +- .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 94 +- .../Libcrux_ml_dsa.Encoding.T0.fsti | 14 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 98 +- .../Libcrux_ml_dsa.Encoding.T1.fsti | 16 +- ...bcrux_ml_dsa.Encoding.Verification_key.fst | 112 +- ...crux_ml_dsa.Encoding.Verification_key.fsti | 16 +- .../Libcrux_ml_dsa.Hash_functions.Neon.fst | 104 +- .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 54 +- ...Libcrux_ml_dsa.Hash_functions.Portable.fst | 142 +- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 80 +- ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 8 +- ...ibcrux_ml_dsa.Hash_functions.Shake256.fsti | 44 +- .../Libcrux_ml_dsa.Hash_functions.Simd256.fst | 146 +- ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 80 +- .../extraction/Libcrux_ml_dsa.Matrix.fst | 124 +- .../extraction/Libcrux_ml_dsa.Matrix.fsti | 32 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 28 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 28 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 28 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 28 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 28 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 28 +- ...generic.Instantiations.Avx2.Ml_dsa_44_.fst | 168 +- ...eneric.Instantiations.Avx2.Ml_dsa_44_.fsti | 92 +- ...generic.Instantiations.Avx2.Ml_dsa_65_.fst | 168 +- ...eneric.Instantiations.Avx2.Ml_dsa_65_.fsti | 92 +- ...generic.Instantiations.Avx2.Ml_dsa_87_.fst | 168 +- ...eneric.Instantiations.Avx2.Ml_dsa_87_.fsti | 92 +- ...generic.Instantiations.Neon.Ml_dsa_44_.fst | 104 +- ...eneric.Instantiations.Neon.Ml_dsa_44_.fsti | 50 +- ...generic.Instantiations.Neon.Ml_dsa_65_.fst | 104 +- ...eneric.Instantiations.Neon.Ml_dsa_65_.fsti | 50 +- ...generic.Instantiations.Neon.Ml_dsa_87_.fst | 104 +- ...eneric.Instantiations.Neon.Ml_dsa_87_.fsti | 50 +- ...ric.Instantiations.Portable.Ml_dsa_44_.fst | 98 +- ...ic.Instantiations.Portable.Ml_dsa_44_.fsti | 50 +- ...ric.Instantiations.Portable.Ml_dsa_65_.fst | 98 +- ...ic.Instantiations.Portable.Ml_dsa_65_.fsti | 50 +- ...ric.Instantiations.Portable.Ml_dsa_87_.fst | 98 +- ...ic.Instantiations.Portable.Ml_dsa_87_.fsti | 50 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst | 592 +++---- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti | 108 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst | 592 +++---- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti | 108 +- ...bcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst | 592 +++---- ...crux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti | 108 +- ...Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst | 146 +- ...l_dsa_generic.Multiplexing.Ml_dsa_44_.fsti | 34 +- ...Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst | 146 +- ...l_dsa_generic.Multiplexing.Ml_dsa_65_.fsti | 34 +- ...Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst | 146 +- ...l_dsa_generic.Multiplexing.Ml_dsa_87_.fsti | 34 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 8 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 4 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 198 +-- .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 26 +- .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 78 +- .../extraction/Libcrux_ml_dsa.Pre_hash.fsti | 52 +- .../extraction/Libcrux_ml_dsa.Sample.fst | 1536 ++++++++--------- .../extraction/Libcrux_ml_dsa.Sample.fsti | 104 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 266 +-- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 30 +- ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 182 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 32 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 282 +-- ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 48 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst | 110 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti | 6 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti | 4 +- .../Libcrux_ml_dsa.Simd.Avx2.Invntt.fst | 198 +-- .../Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti | 36 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 12 +- ...d.Avx2.Rejection_sample.Shuffle_table.fsti | 12 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 30 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 18 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 476 ++--- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 58 +- ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 288 ++-- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 40 +- ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 342 ++-- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 48 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 276 +-- ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 10 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 122 +- ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 10 +- .../Libcrux_ml_dsa.Simd.Portable.Invntt.fst | 480 +++--- .../Libcrux_ml_dsa.Simd.Portable.Invntt.fsti | 28 +- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 472 ++--- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 28 +- .../Libcrux_ml_dsa.Simd.Portable.Sample.fst | 62 +- .../Libcrux_ml_dsa.Simd.Portable.Sample.fsti | 6 +- ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 8 +- ...crux_ml_dsa.Simd.Portable.Vector_type.fsti | 6 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 18 +- .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 90 +- .../extraction/Libcrux_ml_dsa.Types.fsti | 126 +- .../Libcrux_ml_kem.Constant_time_ops.fst | 6 +- .../Libcrux_ml_kem.Constant_time_ops.fsti | 16 +- .../extraction/Libcrux_ml_kem.Constants.fsti | 10 +- .../Libcrux_ml_kem.Hash_functions.Avx2.fst | 12 +- .../Libcrux_ml_kem.Hash_functions.Avx2.fsti | 6 +- .../Libcrux_ml_kem.Hash_functions.Neon.fst | 12 +- .../Libcrux_ml_kem.Hash_functions.Neon.fsti | 6 +- ...Libcrux_ml_kem.Hash_functions.Portable.fst | 12 +- ...ibcrux_ml_kem.Hash_functions.Portable.fsti | 6 +- ...m.Ind_cca.Instantiations.Avx2.Unpacked.fst | 184 +- ....Ind_cca.Instantiations.Avx2.Unpacked.fsti | 202 +-- ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 110 +- ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 164 +- ...m.Ind_cca.Instantiations.Neon.Unpacked.fst | 108 +- ....Ind_cca.Instantiations.Neon.Unpacked.fsti | 118 +- ...rux_ml_kem.Ind_cca.Instantiations.Neon.fst | 68 +- ...ux_ml_kem.Ind_cca.Instantiations.Neon.fsti | 94 +- ...d_cca.Instantiations.Portable.Unpacked.fst | 108 +- ..._cca.Instantiations.Portable.Unpacked.fsti | 118 +- ...ml_kem.Ind_cca.Instantiations.Portable.fst | 68 +- ...l_kem.Ind_cca.Instantiations.Portable.fsti | 94 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fst | 92 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fsti | 52 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fst | 404 ++--- .../Libcrux_ml_kem.Ind_cca.Unpacked.fsti | 164 +- .../extraction/Libcrux_ml_kem.Ind_cca.fst | 254 +-- .../extraction/Libcrux_ml_kem.Ind_cca.fsti | 116 +- .../extraction/Libcrux_ml_kem.Ind_cpa.fst | 1014 +++++------ .../extraction/Libcrux_ml_kem.Ind_cpa.fsti | 280 +-- .../extraction/Libcrux_ml_kem.Invert_ntt.fst | 40 +- .../extraction/Libcrux_ml_kem.Invert_ntt.fsti | 44 +- .../extraction/Libcrux_ml_kem.Matrix.fst | 190 +- .../extraction/Libcrux_ml_kem.Matrix.fsti | 56 +- ...Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst | 152 +- ...ibcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti | 136 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fst | 38 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fsti | 34 +- ...Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst | 152 +- ...ibcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti | 144 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fst | 38 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fsti | 34 +- ...rux_ml_kem.Mlkem1024.Portable.Unpacked.fst | 152 +- ...ux_ml_kem.Mlkem1024.Portable.Unpacked.fsti | 144 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fst | 38 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fsti | 34 +- .../Libcrux_ml_kem.Mlkem1024.Rand.fst | 30 +- .../Libcrux_ml_kem.Mlkem1024.Rand.fsti | 22 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fst | 36 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fsti | 90 +- .../Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst | 150 +- ...Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti | 132 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fst | 38 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fsti | 34 +- .../Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst | 150 +- ...Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti | 140 +- .../Libcrux_ml_kem.Mlkem512.Neon.fst | 38 +- .../Libcrux_ml_kem.Mlkem512.Neon.fsti | 34 +- ...crux_ml_kem.Mlkem512.Portable.Unpacked.fst | 152 +- ...rux_ml_kem.Mlkem512.Portable.Unpacked.fsti | 140 +- .../Libcrux_ml_kem.Mlkem512.Portable.fst | 38 +- .../Libcrux_ml_kem.Mlkem512.Portable.fsti | 34 +- .../Libcrux_ml_kem.Mlkem512.Rand.fst | 34 +- .../Libcrux_ml_kem.Mlkem512.Rand.fsti | 22 +- .../extraction/Libcrux_ml_kem.Mlkem512.fst | 36 +- .../extraction/Libcrux_ml_kem.Mlkem512.fsti | 90 +- .../Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst | 152 +- ...Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti | 134 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fst | 38 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fsti | 34 +- .../Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst | 152 +- ...Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti | 142 +- .../Libcrux_ml_kem.Mlkem768.Neon.fst | 38 +- .../Libcrux_ml_kem.Mlkem768.Neon.fsti | 34 +- ...crux_ml_kem.Mlkem768.Portable.Unpacked.fst | 152 +- ...rux_ml_kem.Mlkem768.Portable.Unpacked.fsti | 142 +- .../Libcrux_ml_kem.Mlkem768.Portable.fst | 38 +- .../Libcrux_ml_kem.Mlkem768.Portable.fsti | 34 +- .../Libcrux_ml_kem.Mlkem768.Rand.fst | 30 +- .../Libcrux_ml_kem.Mlkem768.Rand.fsti | 22 +- .../extraction/Libcrux_ml_kem.Mlkem768.fst | 36 +- .../extraction/Libcrux_ml_kem.Mlkem768.fsti | 90 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fst | 182 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fsti | 84 +- .../extraction/Libcrux_ml_kem.Polynomial.fst | 496 +++--- .../extraction/Libcrux_ml_kem.Polynomial.fsti | 146 +- .../extraction/Libcrux_ml_kem.Serialize.fst | 700 ++++---- .../extraction/Libcrux_ml_kem.Serialize.fsti | 248 +-- .../fstar/extraction/Libcrux_ml_kem.Types.fst | 252 +-- .../fstar/extraction/Libcrux_ml_kem.Utils.fst | 84 +- .../extraction/Libcrux_ml_kem.Utils.fsti | 20 +- .../extraction/Libcrux_ml_kem.Variant.fsti | 16 +- .../Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst | 190 +- ...Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti | 76 +- .../Libcrux_ml_kem.Vector.Avx2.Compress.fst | 66 +- .../Libcrux_ml_kem.Vector.Avx2.Compress.fsti | 6 +- .../Libcrux_ml_kem.Vector.Avx2.Ntt.fst | 132 +- .../Libcrux_ml_kem.Vector.Avx2.Ntt.fsti | 16 +- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 482 +++--- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 70 +- .../extraction/Libcrux_ml_kem.Vector.Avx2.fst | 128 +- .../Libcrux_ml_kem.Vector.Avx2.fsti | 154 +- .../Libcrux_ml_kem.Vector.Neon.Arithmetic.fst | 180 +- ...Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti | 26 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fst | 150 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fsti | 14 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fst | 172 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fsti | 18 +- .../Libcrux_ml_kem.Vector.Neon.Serialize.fst | 302 ++-- .../Libcrux_ml_kem.Vector.Neon.Serialize.fsti | 38 +- ...Libcrux_ml_kem.Vector.Neon.Vector_type.fst | 84 +- ...ibcrux_ml_kem.Vector.Neon.Vector_type.fsti | 28 +- .../extraction/Libcrux_ml_kem.Vector.Neon.fst | 32 +- .../Libcrux_ml_kem.Vector.Neon.fsti | 6 +- ...crux_ml_kem.Vector.Portable.Arithmetic.fst | 278 +-- ...rux_ml_kem.Vector.Portable.Arithmetic.fsti | 86 +- ...ibcrux_ml_kem.Vector.Portable.Compress.fst | 112 +- ...bcrux_ml_kem.Vector.Portable.Compress.fsti | 48 +- .../Libcrux_ml_kem.Vector.Portable.Ntt.fst | 376 ++-- .../Libcrux_ml_kem.Vector.Portable.Ntt.fsti | 118 +- ...bcrux_ml_kem.Vector.Portable.Serialize.fst | 938 +++++----- ...crux_ml_kem.Vector.Portable.Serialize.fsti | 118 +- ...rux_ml_kem.Vector.Portable.Vector_type.fst | 34 +- ...ux_ml_kem.Vector.Portable.Vector_type.fsti | 28 +- .../Libcrux_ml_kem.Vector.Portable.fst | 56 +- .../Libcrux_ml_kem.Vector.Portable.fsti | 74 +- .../Libcrux_ml_kem.Vector.Traits.fst | 64 +- .../Libcrux_ml_kem.Vector.Traits.fsti | 26 +- libcrux-ml-kem/src/serialize.rs | 36 +- 237 files changed, 14034 insertions(+), 14034 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 9cbda3450..6138fd294 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -9,85 +9,121 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let decompose_vector +let shift_left_then_reduce (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (dimension: usize) - (gamma2: i32) - (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let i:usize = i in + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_SHIFT_BY + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + re + +let power2round_vector + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = Rust_primitives.Hax.Folds.fold_range (sz 0) - dimension + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) t + <: + usize) (fun temp_0_ temp_1_ -> - let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (high, low + (t, t1 <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ i -> - let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let i:usize = i in Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit - ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun temp_0_ temp_1_ -> - let high, low:(t_Slice - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (high, low + (t, t1 <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ j -> - let high, low:(t_Slice - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let j:usize = j in let tmp0, tmp1:(v_SIMDUnit & v_SIMDUnit) = - Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit + Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - gamma2 ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] - <: - v_SIMDUnit) - ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + ((t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) in - let low:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + let t:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t i ({ - (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (low.[ i ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units @@ -99,14 +135,14 @@ let decompose_vector <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let high:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 i ({ - (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (high.[ i ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units @@ -118,7 +154,7 @@ let decompose_vector <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - high, low + t, t1 <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) @@ -126,83 +162,90 @@ let decompose_vector (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) in - low, high + t, t1 <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -let power2round_vector +let decompose_vector (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (t t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (dimension: usize) + (gamma2: i32) + (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = - let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) t - <: - usize) + dimension (fun temp_0_ temp_1_ -> - let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (t, t1 + (high, low <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ i -> - let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let i:usize = i in Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit - ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun temp_0_ temp_1_ -> - let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let high, low:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let _:usize = temp_1_ in true) - (t, t1 + (high, low <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) (fun temp_0_ j -> - let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + let high, low:(t_Slice + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) = temp_0_ in let j:usize = j in let tmp0, tmp1:(v_SIMDUnit & v_SIMDUnit) = - Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit + Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit #FStar.Tactics.Typeclasses.solve + gamma2 ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - ((t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) in - let t:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t + let low:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low i ({ - (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t.[ i ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units @@ -214,14 +257,14 @@ let power2round_vector <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + let high:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high i ({ - (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with Libcrux_ml_dsa.Polynomial.f_simd_units = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ] + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) .Libcrux_ml_dsa.Polynomial.f_simd_units @@ -233,7 +276,7 @@ let power2round_vector <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in - t, t1 + high, low <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) @@ -241,53 +284,124 @@ let power2round_vector (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) in - t, t1 + low, high <: (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) -let shift_left_then_reduce +let make_hint (#v_SIMDUnit: Type0) - (v_SHIFT_BY: i32) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (gamma2: i32) + (hint: t_Slice (t_Array i32 (sz 256))) = - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + let true_hints:usize = sz 0 in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) low <: usize) - (fun re temp_1_ -> - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + (fun temp_0_ temp_1_ -> + let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + temp_0_ + in let _:usize = temp_1_ in true) - re - (fun re i -> - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + (hint, hint_simd, true_hints + <: + (t_Slice (t_Array i32 (sz 256)) & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize)) + (fun temp_0_ i -> + let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + temp_0_ + in let i:usize = i in - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ j -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let j:usize = j in + let tmp0, out:(v_SIMDUnit & usize) = + Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + gamma2 + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + hint_simd with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint_simd + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + tmp0 + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let one_hints_count:usize = out in + let true_hints:usize = true_hints +! one_hints_count in + hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let hint:t_Slice (t_Array i32 (sz 256)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint i - (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - v_SHIFT_BY - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd <: - v_SIMDUnit) - <: - t_Array v_SIMDUnit (sz 32) - } + t_Array i32 (sz 256)) + in + hint, hint_simd, true_hints <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t_Slice (t_Array i32 (sz 256)) & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize)) in - re + let hax_temp_output:usize = true_hints in + hint, hax_temp_output <: (t_Slice (t_Array i32 (sz 256)) & usize) let use_hint (#v_SIMDUnit: Type0) @@ -402,117 +516,3 @@ let vector_infinity_norm_exceeds bool)) in result - -let make_hint - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (gamma2: i32) - (hint: t_Slice (t_Array i32 (sz 256))) - = - let true_hints:usize = sz 0 in - let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - in - let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) low - <: - usize) - (fun temp_0_ temp_1_ -> - let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (hint, hint_simd, true_hints - <: - (t_Slice (t_Array i32 (sz 256)) & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize)) - (fun temp_0_ i -> - let hint, hint_simd, true_hints:(t_Slice (t_Array i32 (sz 256)) & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize) = - temp_0_ - in - let i:usize = i in - let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (hint_simd, true_hints - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ j -> - let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - usize) = - temp_0_ - in - let j:usize = j in - let tmp0, out:(v_SIMDUnit & usize) = - Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] - <: - v_SIMDUnit) - ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] - <: - v_SIMDUnit) - gamma2 - (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - in - let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - hint_simd with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint_simd - .Libcrux_ml_dsa.Polynomial.f_simd_units - j - tmp0 - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let one_hints_count:usize = out in - let true_hints:usize = true_hints +! one_hints_count in - hint_simd, true_hints - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - in - let hint:t_Slice (t_Array i32 (sz 256)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - i - (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd - <: - t_Array i32 (sz 256)) - in - hint, hint_simd, true_hints - <: - (t_Slice (t_Array i32 (sz 256)) & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize)) - in - let hax_temp_output:usize = true_hints in - hint, hax_temp_output <: (t_Slice (t_Array i32 (sz 256)) & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti index 5816dd136..691473066 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -9,15 +9,12 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -val decompose_vector +val shift_left_then_reduce (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (dimension: usize) - (gamma2: i32) - (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - : Prims.Pure - (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) @@ -31,15 +28,26 @@ val power2round_vector Prims.l_True (fun _ -> Prims.l_True) -val shift_left_then_reduce +val decompose_vector (#v_SIMDUnit: Type0) - (v_SHIFT_BY: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (dimension: usize) + (gamma2: i32) + (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) +val make_hint + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (gamma2: i32) + (hint: t_Slice (t_Array i32 (sz 256))) + : Prims.Pure (t_Slice (t_Array i32 (sz 256)) & usize) Prims.l_True (fun _ -> Prims.l_True) + val use_hint (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -56,11 +64,3 @@ val vector_infinity_norm_exceeds (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val make_hint - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (gamma2: i32) - (hint: t_Slice (t_Array i32 (sz 256))) - : Prims.Pure (t_Slice (t_Array i32 (sz 256)) & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti index 105a22c73..21cc9d4b9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti @@ -3,25 +3,25 @@ module Libcrux_ml_dsa.Constants.Ml_dsa_44_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 +let v_ROWS_IN_A: usize = sz 4 let v_COLUMNS_IN_A: usize = sz 4 -let v_COMMITMENT_HASH_SIZE: usize = sz 32 - let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + let v_GAMMA1_EXPONENT: usize = sz 17 +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 + let v_MAX_ONES_IN_HINT: usize = sz 80 let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 -let v_ROWS_IN_A: usize = sz 4 +let v_COMMITMENT_HASH_SIZE: usize = sz 32 -let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti index ac228b809..56d74fb95 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti @@ -3,25 +3,25 @@ module Libcrux_ml_dsa.Constants.Ml_dsa_65_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 +let v_ROWS_IN_A: usize = sz 6 let v_COLUMNS_IN_A: usize = sz 5 -let v_COMMITMENT_HASH_SIZE: usize = sz 48 - let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + let v_GAMMA1_EXPONENT: usize = sz 19 +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + let v_MAX_ONES_IN_HINT: usize = sz 55 let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 -let v_ROWS_IN_A: usize = sz 6 +let v_COMMITMENT_HASH_SIZE: usize = sz 48 -let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti index 30097ecf0..af828ef56 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti @@ -3,25 +3,25 @@ module Libcrux_ml_dsa.Constants.Ml_dsa_87_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 +let v_ROWS_IN_A: usize = sz 8 let v_COLUMNS_IN_A: usize = sz 7 -let v_COMMITMENT_HASH_SIZE: usize = sz 64 - let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + let v_GAMMA1_EXPONENT: usize = sz 19 +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + let v_MAX_ONES_IN_HINT: usize = sz 75 let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 -let v_ROWS_IN_A: usize = sz 8 - let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_COMMITMENT_HASH_SIZE: usize = sz 64 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst index 34e40aa6e..42a5aa808 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst @@ -8,6 +8,18 @@ let t_Eta_cast_to_repr (x: t_Eta) = | Eta_Two -> discriminant_Eta_Two | Eta_Four -> discriminant_Eta_Four +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl': Core.Clone.t_Clone t_Eta + +let impl = impl' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': Core.Marker.t_Copy t_Eta + +let impl_1 = impl_1' + let beta (ones_in_verifier_challenge: usize) (eta: t_Eta) = let (eta_val: usize):usize = match eta <: t_Eta with @@ -16,30 +28,17 @@ let beta (ones_in_verifier_challenge: usize) (eta: t_Eta) = in cast (ones_in_verifier_challenge *! eta_val <: usize) <: i32 -let commitment_ring_element_size (bits_per_commitment_coefficient: usize) = - (bits_per_commitment_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 - -let commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) = - (commitment_ring_element_size bits_per_commitment_coefficient <: usize) *! rows_in_a - let error_ring_element_size (bits_per_error_coefficient: usize) = (bits_per_error_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 let gamma1_ring_element_size (bits_per_gamma1_coefficient: usize) = (bits_per_gamma1_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 -let signature_size - (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient: - usize) - = - ((commitment_hash_size +! - (columns_in_a *! (gamma1_ring_element_size bits_per_gamma1_coefficient <: usize) <: usize) - <: - usize) +! - max_ones_in_hint - <: - usize) +! - rows_in_a +let commitment_ring_element_size (bits_per_commitment_coefficient: usize) = + (bits_per_commitment_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) = + (commitment_ring_element_size bits_per_commitment_coefficient <: usize) *! rows_in_a let signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) = (((v_SEED_FOR_A_SIZE +! v_SEED_FOR_SIGNING_SIZE <: usize) +! v_BYTES_FOR_VERIFICATION_KEY_HASH @@ -60,14 +59,15 @@ let verification_key_size (rows_in_a: usize) = <: usize) -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl': Core.Clone.t_Clone t_Eta - -let impl = impl' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_1': Core.Marker.t_Copy t_Eta - -let impl_1 = impl_1' +let signature_size + (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient: + usize) + = + ((commitment_hash_size +! + (columns_in_a *! (gamma1_ring_element_size bits_per_gamma1_coefficient <: usize) <: usize) + <: + usize) +! + max_ones_in_hint + <: + usize) +! + rows_in_a diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti index 97e8a82d8..294c55f78 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -3,69 +3,69 @@ module Libcrux_ml_dsa.Constants open Core open FStar.Mul -let discriminant_Eta_Four: isize = isz 4 - -/// Eta values -type t_Eta = - | Eta_Two : t_Eta - | Eta_Four : t_Eta +let v_FIELD_MODULUS: i32 = 8380417l -let discriminant_Eta_Two: isize = isz 2 +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 -val t_Eta_cast_to_repr (x: t_Eta) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) +let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 -let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 - -let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 +let v_RING_ELEMENT_OF_T0S_SIZE: usize = + (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 -/// The length of `context` is serialized to a single `u8`. -let v_CONTEXT_MAX_LEN: usize = sz 255 +let v_BITS_IN_UPPER_PART_OF_T: usize = + v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T -let v_FIELD_MODULUS: i32 = 8380417l +let v_RING_ELEMENT_OF_T1S_SIZE: usize = + (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 -let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 +let v_SEED_FOR_A_SIZE: usize = sz 32 -let v_BITS_IN_UPPER_PART_OF_T: usize = - v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T +let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64 -let v_GAMMA2_V261_888_: i32 = 261888l +let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 -let v_GAMMA2_V95_232_: i32 = 95232l +let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 /// Number of bytes of entropy required for key generation. let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32 -let v_MASK_SEED_SIZE: usize = sz 64 +/// Number of bytes of entropy required for signing. +let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 let v_MESSAGE_REPRESENTATIVE_SIZE: usize = sz 64 +let v_MASK_SEED_SIZE: usize = sz 64 + let v_REJECTION_SAMPLE_BOUND_SIGN: usize = sz 814 -let v_RING_ELEMENT_OF_T0S_SIZE: usize = - (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 +/// The length of `context` is serialized to a single `u8`. +let v_CONTEXT_MAX_LEN: usize = sz 255 -let v_RING_ELEMENT_OF_T1S_SIZE: usize = - (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 +/// Eta values +type t_Eta = + | Eta_Two : t_Eta + | Eta_Four : t_Eta -let v_SEED_FOR_A_SIZE: usize = sz 32 +let discriminant_Eta_Two: isize = isz 2 -let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64 +let discriminant_Eta_Four: isize = isz 4 -let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 +val t_Eta_cast_to_repr (x: t_Eta) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) -/// Number of bytes of entropy required for signing. -let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Core.Clone.t_Clone t_Eta -val beta (ones_in_verifier_challenge: usize) (eta: t_Eta) - : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Core.Marker.t_Copy t_Eta -val commitment_ring_element_size (bits_per_commitment_coefficient: usize) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +let v_GAMMA2_V261_888_: i32 = 261888l -val commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +let v_GAMMA2_V95_232_: i32 = 95232l + +val beta (ones_in_verifier_challenge: usize) (eta: t_Eta) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) val error_ring_element_size (bits_per_error_coefficient: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) @@ -73,9 +73,10 @@ val error_ring_element_size (bits_per_error_coefficient: usize) val gamma1_ring_element_size (bits_per_gamma1_coefficient: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) -val signature_size - (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient: - usize) +val commitment_ring_element_size (bits_per_commitment_coefficient: usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +val commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) @@ -83,8 +84,7 @@ val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) val verification_key_size (rows_in_a: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Clone.t_Clone t_Eta - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Marker.t_Copy t_Eta +val signature_size + (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient: + usize) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst index b1c4bdc78..8f33d3386 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -14,6 +14,56 @@ let chunk_size (eta: Libcrux_ml_dsa.Constants.t_Eta) = | Libcrux_ml_dsa.Constants.Eta_Two -> sz 3 | Libcrux_ml_dsa.Constants.Eta_Four -> sz 4 +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + = + let output_bytes_per_simd_unit:usize = chunk_size eta in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + eta + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + serialized + let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -117,53 +167,3 @@ let deserialize_to_vector_then_ntt ring_elements) in ring_elements - -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - = - let output_bytes_per_simd_unit:usize = chunk_size eta in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; - Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - eta - simd_unit - (serialized.[ { - Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti index 7fec31f61..8583a11e1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -12,6 +12,14 @@ let _ = val chunk_size (eta: Libcrux_ml_dsa.Constants.t_Eta) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -32,11 +40,3 @@ val deserialize_to_vector_then_ntt : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst index fa942586c..979cd689c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -9,6 +9,58 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + gamma1_exponent + <: + t_Slice u8) + <: + t_Slice u8) + in + let _:Prims.unit = () <: Prims.unit in + serialized + let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -63,55 +115,3 @@ let deserialize in let _:Prims.unit = () <: Prims.unit in result - -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - (serialized.[ { - Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - gamma1_exponent - <: - t_Slice u8) - <: - t_Slice u8) - in - let _:Prims.unit = () <: Prims.unit in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti index 20ee5e8bc..930566dc1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -9,6 +9,14 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -18,11 +26,3 @@ val deserialize : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst index 5eb1c72d7..a6797e783 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -23,6 +23,122 @@ let set_hint (out_hint: t_Slice (t_Array i32 (sz 256))) (i j: usize) = in out_hint +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (commitment_hash: t_Slice u8) + (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint: t_Slice (t_Array i32 (sz 256))) + (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint: + usize) + (signature: t_Slice u8) + = + let offset:usize = sz 0 in + let signature:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + commitment_hash + <: + t_Slice u8) + in + let offset:usize = offset +! commitment_hash_size in + let offset, signature:(usize & t_Slice u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + columns_in_a + (fun temp_0_ temp_1_ -> + let offset, signature:(usize & t_Slice u8) = temp_0_ in + let _:usize = temp_1_ in + true) + (offset, signature <: (usize & t_Slice u8)) + (fun temp_0_ i -> + let offset, signature:(usize & t_Slice u8) = temp_0_ in + let i:usize = i in + let signature:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit + (signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + gamma1_exponent + <: + t_Slice u8) + in + let offset:usize = offset +! gamma1_ring_element_size in + offset, signature <: (usize & t_Slice u8)) + in + let true_hints_seen:usize = sz 0 in + let signature, true_hints_seen:(t_Slice u8 & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + rows_in_a + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Slice u8 & usize)) + (fun temp_0_ i -> + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in + let i:usize = i in + let signature, true_hints_seen:(t_Slice u8 & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 (hint.[ i ] <: t_Slice i32) <: usize) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Slice u8 & usize)) + (fun temp_0_ j -> + let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in + let j:usize = j in + if ((hint.[ i ] <: t_Array i32 (sz 256)).[ j ] <: i32) =. 1l <: bool + then + let signature:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + (offset +! true_hints_seen <: usize) + (cast (j <: usize) <: u8) + in + let true_hints_seen:usize = true_hints_seen +! sz 1 in + signature, true_hints_seen <: (t_Slice u8 & usize) + else signature, true_hints_seen <: (t_Slice u8 & usize)) + in + let signature:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + ((offset +! max_ones_in_hint <: usize) +! i <: usize) + (cast (true_hints_seen <: usize) <: u8) + in + signature, true_hints_seen <: (t_Slice u8 & usize)) + in + signature + let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -349,119 +465,3 @@ let deserialize (t_Slice u8 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Slice (t_Array i32 (sz 256)) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (commitment_hash: t_Slice u8) - (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (hint: t_Slice (t_Array i32 (sz 256))) - (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint: - usize) - (signature: t_Slice u8) - = - let offset:usize = sz 0 in - let signature:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature - ({ - Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (signature.[ { - Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - commitment_hash - <: - t_Slice u8) - in - let offset:usize = offset +! commitment_hash_size in - let offset, signature:(usize & t_Slice u8) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - columns_in_a - (fun temp_0_ temp_1_ -> - let offset, signature:(usize & t_Slice u8) = temp_0_ in - let _:usize = temp_1_ in - true) - (offset, signature <: (usize & t_Slice u8)) - (fun temp_0_ i -> - let offset, signature:(usize & t_Slice u8) = temp_0_ in - let i:usize = i in - let signature:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature - ({ - Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit - (signer_response.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (signature.[ { - Core.Ops.Range.f_start = offset; - Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - gamma1_exponent - <: - t_Slice u8) - in - let offset:usize = offset +! gamma1_ring_element_size in - offset, signature <: (usize & t_Slice u8)) - in - let true_hints_seen:usize = sz 0 in - let signature, true_hints_seen:(t_Slice u8 & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - rows_in_a - (fun temp_0_ temp_1_ -> - let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in - let _:usize = temp_1_ in - true) - (signature, true_hints_seen <: (t_Slice u8 & usize)) - (fun temp_0_ i -> - let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in - let i:usize = i in - let signature, true_hints_seen:(t_Slice u8 & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 (hint.[ i ] <: t_Slice i32) <: usize) - (fun temp_0_ temp_1_ -> - let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in - let _:usize = temp_1_ in - true) - (signature, true_hints_seen <: (t_Slice u8 & usize)) - (fun temp_0_ j -> - let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in - let j:usize = j in - if ((hint.[ i ] <: t_Array i32 (sz 256)).[ j ] <: i32) =. 1l <: bool - then - let signature:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature - (offset +! true_hints_seen <: usize) - (cast (j <: usize) <: u8) - in - let true_hints_seen:usize = true_hints_seen +! sz 1 in - signature, true_hints_seen <: (t_Slice u8 & usize) - else signature, true_hints_seen <: (t_Slice u8 & usize)) - in - let signature:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature - ((offset +! max_ones_in_hint <: usize) +! i <: usize) - (cast (true_hints_seen <: usize) <: u8) - in - signature, true_hints_seen <: (t_Slice u8 & usize)) - in - signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti index 1e799b36e..b7e76e315 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -12,6 +12,17 @@ let _ = val set_hint (out_hint: t_Slice (t_Array i32 (sz 256))) (i j: usize) : Prims.Pure (t_Slice (t_Array i32 (sz 256))) Prims.l_True (fun _ -> Prims.l_True) +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (commitment_hash: t_Slice u8) + (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint: t_Slice (t_Array i32 (sz 256))) + (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint: + usize) + (signature: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -26,14 +37,3 @@ val deserialize Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (commitment_hash: t_Slice u8) - (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (hint: t_Slice (t_Array i32 (sz 256))) - (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint: - usize) - (signature: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst index 4b0b93667..de9f50064 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -9,6 +9,53 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + serialized + let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -108,50 +155,3 @@ let deserialize_to_vector_then_ntt ring_elements) in ring_elements - -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - (serialized.[ { - Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti index 3e1291df0..fe66090f9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -11,6 +11,13 @@ let _ = let v_OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -28,10 +35,3 @@ val deserialize_to_vector_then_ntt : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index 1b47121ee..be43c8a94 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -9,6 +9,55 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + serialized + let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -58,52 +107,3 @@ let deserialize Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in result - -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti index 26d77dadf..acda9350b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -9,9 +9,16 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 + let deserialize__WINDOW: usize = sz 10 -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val deserialize (#v_SIMDUnit: Type0) @@ -21,10 +28,3 @@ val deserialize : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst index dc840bd86..ac1140b5d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -9,62 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let deserialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (rows_in_a verification_key_size: usize) - (serialized: t_Slice u8) - (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - (verification_key_size -! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize) - <: - bool) - in - () - in - let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - rows_in_a - (fun t1 temp_1_ -> - let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in - let _:usize = temp_1_ in - true) - t1 - (fun t1 i -> - let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 - i - (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit - (serialized.[ { - Core.Ops.Range.f_start - = - i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - t1 - let generate_serialized (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -140,3 +84,59 @@ let generate_serialized verification_key_serialized) in verification_key_serialized + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (rows_in_a verification_key_size: usize) + (serialized: t_Slice u8) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. + (verification_key_size -! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize) + <: + bool) + in + () + in + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + rows_in_a + (fun t1 temp_1_ -> + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in + let _:usize = temp_1_ in + true) + t1 + (fun t1 i -> + let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit + (serialized.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + t1 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti index 0f2375cef..7c4a29d36 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti @@ -9,6 +9,14 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +val generate_serialized + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (seed: t_Slice u8) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (verification_key_serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -18,11 +26,3 @@ val deserialize : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) - -val generate_serialized - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (seed: t_Slice u8) - (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (verification_key_serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst index 7d78d62f2..50757003f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst @@ -9,31 +9,48 @@ val t_Shake128x4': eqtype let t_Shake128x4 = t_Shake128x4' assume -val t_Shake256x4': eqtype +val init_absorb': + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 + -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) -let t_Shake256x4 = t_Shake256x4' +let init_absorb = init_absorb' -[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 +val squeeze_first_five_blocks': + state: t_Shake128x4 -> + out0: t_Array u8 (sz 840) -> + out1: t_Array u8 (sz 840) -> + out2: t_Array u8 (sz 840) -> + out3: t_Array u8 (sz 840) + -> Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -let impl = impl' +let squeeze_first_five_blocks = squeeze_first_five_blocks' + +assume +val squeeze_next_block': state: t_Shake128x4 + -> Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +let squeeze_next_block = squeeze_next_block' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 +val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 -let impl_1 = impl_1' +let impl = impl' assume -val init_absorb': - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 - -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) +val t_Shake256x4': eqtype -let init_absorb = init_absorb' +let t_Shake256x4 = t_Shake256x4' assume val init_absorb_x4': @@ -45,24 +62,6 @@ val init_absorb_x4': let init_absorb_x4 = init_absorb_x4' -assume -val shake256_x4': - v_OUT_LEN: usize -> - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 -> - out0: t_Array u8 v_OUT_LEN -> - out1: t_Array u8 v_OUT_LEN -> - out2: t_Array u8 v_OUT_LEN -> - out3: t_Array u8 v_OUT_LEN - -> Prims.Pure - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - Prims.l_True - (fun _ -> Prims.l_True) - -let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN - assume val squeeze_first_block_x4': state: t_Shake256x4 -> Prims.Pure @@ -74,34 +73,35 @@ val squeeze_first_block_x4': state: t_Shake256x4 let squeeze_first_block_x4 = squeeze_first_block_x4' assume -val squeeze_first_five_blocks': - state: t_Shake128x4 -> - out0: t_Array u8 (sz 840) -> - out1: t_Array u8 (sz 840) -> - out2: t_Array u8 (sz 840) -> - out3: t_Array u8 (sz 840) +val squeeze_next_block_x4': state: t_Shake256x4 -> Prims.Pure - (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) -let squeeze_first_five_blocks = squeeze_first_five_blocks' +let squeeze_next_block_x4 = squeeze_next_block_x4' assume -val squeeze_next_block': state: t_Shake128x4 +val shake256_x4': + v_OUT_LEN: usize -> + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 -> + out0: t_Array u8 v_OUT_LEN -> + out1: t_Array u8 v_OUT_LEN -> + out2: t_Array u8 v_OUT_LEN -> + out3: t_Array u8 v_OUT_LEN -> Prims.Pure - (t_Shake128x4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -let squeeze_next_block = squeeze_next_block' +let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN +[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val squeeze_next_block_x4': state: t_Shake256x4 - -> Prims.Pure - (t_Shake256x4 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - Prims.l_True - (fun _ -> Prims.l_True) +val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 -let squeeze_next_block_x4 = squeeze_next_block_x4' +let impl_1 = impl_1' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti index d27a20455..27c84e31f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -5,31 +5,31 @@ open FStar.Mul val t_Shake128x4:eqtype -/// Neon SHAKE 256 x4 state -val t_Shake256x4:eqtype - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 - /// Init the state and absorb 4 blocks in parallel. val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) -val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) - : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -val shake256_x4 - (v_OUT_LEN: usize) - (input0 input1 input2 input3: t_Slice u8) - (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) +val squeeze_next_block (state: t_Shake128x4) : Prims.Pure - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) Prims.l_True (fun _ -> Prims.l_True) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 + +/// Neon SHAKE 256 x4 state +val t_Shake256x4:eqtype + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + val squeeze_first_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & @@ -37,21 +37,21 @@ val squeeze_first_block_x4 (state: t_Shake256x4) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) - : Prims.Pure - (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) - -val squeeze_next_block (state: t_Shake128x4) +val squeeze_next_block_x4 (state: t_Shake256x4) : Prims.Pure - (t_Shake128x4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_next_block_x4 (state: t_Shake256x4) +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) : Prims.Pure - (t_Shake256x4 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst index 4d34ec255..41c295b79 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst @@ -3,30 +3,43 @@ module Libcrux_ml_dsa.Hash_functions.Portable open Core open FStar.Mul -assume -val t_Shake128': eqtype - -let t_Shake128 = t_Shake128' - assume val t_Shake128X4': eqtype let t_Shake128X4 = t_Shake128X4' assume -val t_Shake256': eqtype +val init_absorb': + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 + -> Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) -let t_Shake256 = t_Shake256' +let init_absorb = init_absorb' assume -val t_Shake256X4': eqtype +val squeeze_first_five_blocks': + state: t_Shake128X4 -> + out0: t_Array u8 (sz 840) -> + out1: t_Array u8 (sz 840) -> + out2: t_Array u8 (sz 840) -> + out3: t_Array u8 (sz 840) + -> Prims.Pure + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -let t_Shake256X4 = t_Shake256X4' +let squeeze_first_five_blocks = squeeze_first_five_blocks' assume -val t_Shake256Xof': eqtype +val squeeze_next_block': state: t_Shake128X4 + -> Prims.Pure + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) -let t_Shake256Xof = t_Shake256Xof' +let squeeze_next_block = squeeze_next_block' [@@ FStar.Tactics.Typeclasses.tcinstance] assume @@ -34,39 +47,33 @@ val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 let impl = impl' -[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 +val t_Shake128': eqtype -let impl_1 = impl_1' +let t_Shake128 = t_Shake128' -[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 +val shake128': input: t_Slice u8 -> out: t_Slice u8 + -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -let impl_2 = impl_2' +let shake128 = shake128' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_3': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 +val impl_1': Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 -let impl_3 = impl_3' +let impl_1 = impl_1' -[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_4': Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof +val t_Shake256': eqtype -let impl_4 = impl_4' +let t_Shake256 = t_Shake256' assume -val init_absorb': - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 - -> Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) +val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) -let init_absorb = init_absorb' +let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH assume val init_absorb_final_shake256': input: t_Slice u8 @@ -75,32 +82,37 @@ val init_absorb_final_shake256': input: t_Slice u8 let init_absorb_final_shake256 = init_absorb_final_shake256' assume -val init_absorb_x4': - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 - -> Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_block_shake256': state: t_Shake256 + -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -let init_absorb_x4 = init_absorb_x4' +let squeeze_first_block_shake256 = squeeze_first_block_shake256' assume -val shake128': input: t_Slice u8 -> out: t_Slice u8 - -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +val squeeze_next_block_shake256': state: t_Shake256 + -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -let shake128 = shake128' +let squeeze_next_block_shake256 = squeeze_next_block_shake256' +[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 -let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH +let impl_2 = impl_2' assume -val squeeze_first_block_shake256': state: t_Shake256 - -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) +val t_Shake256X4': eqtype -let squeeze_first_block_shake256 = squeeze_first_block_shake256' +let t_Shake256X4 = t_Shake256X4' + +assume +val init_absorb_x4': + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 + -> Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) + +let init_absorb_x4 = init_absorb_x4' assume val squeeze_first_block_x4': state: t_Shake256X4 @@ -113,40 +125,28 @@ val squeeze_first_block_x4': state: t_Shake256X4 let squeeze_first_block_x4 = squeeze_first_block_x4' assume -val squeeze_first_five_blocks': - state: t_Shake128X4 -> - out0: t_Array u8 (sz 840) -> - out1: t_Array u8 (sz 840) -> - out2: t_Array u8 (sz 840) -> - out3: t_Array u8 (sz 840) +val squeeze_next_block_x4': state: t_Shake256X4 -> Prims.Pure - (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) -let squeeze_first_five_blocks = squeeze_first_five_blocks' +let squeeze_next_block_x4 = squeeze_next_block_x4' +[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val squeeze_next_block': state: t_Shake128X4 - -> Prims.Pure - (t_Shake128X4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) - Prims.l_True - (fun _ -> Prims.l_True) +val impl_3': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 -let squeeze_next_block = squeeze_next_block' +let impl_3 = impl_3' assume -val squeeze_next_block_shake256': state: t_Shake256 - -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) +val t_Shake256Xof': eqtype -let squeeze_next_block_shake256 = squeeze_next_block_shake256' +let t_Shake256Xof = t_Shake256Xof' +[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val squeeze_next_block_x4': state: t_Shake256X4 - -> Prims.Pure - (t_Shake256X4 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - Prims.l_True - (fun _ -> Prims.l_True) +val impl_4': Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof -let squeeze_next_block_x4 = squeeze_next_block_x4' +let impl_4 = impl_4' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 3fc96890c..226520e52 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -3,53 +3,60 @@ module Libcrux_ml_dsa.Hash_functions.Portable open Core open FStar.Mul -/// Portable SHAKE 128 state -val t_Shake128:eqtype - /// Portable SHAKE 128 x4 state. /// We\'re using a portable implementation so this is actually sequential. val t_Shake128X4:eqtype -/// Portable SHAKE 256 state -val t_Shake256:eqtype +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) -/// Portable SHAKE 256 x4 state. -/// We\'re using a portable implementation so this is actually sequential. -val t_Shake256X4:eqtype +val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -val t_Shake256Xof:eqtype +val squeeze_next_block (state: t_Shake128X4) + : Prims.Pure + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 +/// Portable SHAKE 128 state +val t_Shake128:eqtype -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 +val shake128 (input out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_3:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 +val impl_1:Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_4:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof +/// Portable SHAKE 256 state +val t_Shake256:eqtype -val init_absorb (input0 input1 input2 input3: t_Slice u8) - : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) val init_absorb_final_shake256 (input: t_Slice u8) : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) -val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) - : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -val shake128 (input out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) - : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 -val squeeze_first_block_shake256 (state: t_Shake256) - : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) +/// Portable SHAKE 256 x4 state. +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake256X4:eqtype + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) val squeeze_first_block_x4 (state: t_Shake256X4) : Prims.Pure @@ -58,24 +65,17 @@ val squeeze_first_block_x4 (state: t_Shake256X4) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) - : Prims.Pure - (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) - -val squeeze_next_block (state: t_Shake128X4) - : Prims.Pure - (t_Shake128X4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) - Prims.l_True - (fun _ -> Prims.l_True) - -val squeeze_next_block_shake256 (state: t_Shake256) - : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) - val squeeze_next_block_x4 (state: t_Shake256X4) : Prims.Pure (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_3:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 + +val t_Shake256Xof:eqtype + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_4:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti index 67503f772..bf88da53a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -3,6 +3,10 @@ module Libcrux_ml_dsa.Hash_functions.Shake128 open Core open FStar.Mul +let v_BLOCK_SIZE: usize = sz 168 + +let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5 + class t_Xof (v_Self: Type0) = { f_shake128_pre:t_Slice u8 -> t_Slice u8 -> Type0; f_shake128_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; @@ -59,7 +63,3 @@ class t_XofX4 (v_Self: Type0) = { (f_squeeze_next_block_pre x0) (fun result -> f_squeeze_next_block_post x0 result) } - -let v_BLOCK_SIZE: usize = sz 168 - -let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti index de5a31b65..486426747 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -3,6 +3,8 @@ module Libcrux_ml_dsa.Hash_functions.Shake256 open Core open FStar.Mul +let v_BLOCK_SIZE: usize = sz 136 + /// An ML-DSA specific Xof trait /// This trait is not actually a full Xof implementation but opererates only /// on multiple of blocks. The only real Xof API for SHAKE256 is [`Xof`]. @@ -38,27 +40,6 @@ class t_DsaXof (v_Self: Type0) = { (fun result -> f_squeeze_next_block_post x0 result) } -/// A generic Xof trait -class t_Xof (v_Self: Type0) = { - f_init_pre:Prims.unit -> Type0; - f_init_post:Prims.unit -> v_Self -> Type0; - f_init:x0: Prims.unit -> Prims.Pure v_Self (f_init_pre x0) (fun result -> f_init_post x0 result); - f_absorb_pre:v_Self -> t_Slice u8 -> Type0; - f_absorb_post:v_Self -> t_Slice u8 -> v_Self -> Type0; - f_absorb:x0: v_Self -> x1: t_Slice u8 - -> Prims.Pure v_Self (f_absorb_pre x0 x1) (fun result -> f_absorb_post x0 x1 result); - f_absorb_final_pre:v_Self -> t_Slice u8 -> Type0; - f_absorb_final_post:v_Self -> t_Slice u8 -> v_Self -> Type0; - f_absorb_final:x0: v_Self -> x1: t_Slice u8 - -> Prims.Pure v_Self (f_absorb_final_pre x0 x1) (fun result -> f_absorb_final_post x0 x1 result); - f_squeeze_pre:v_Self -> t_Slice u8 -> Type0; - f_squeeze_post:v_Self -> t_Slice u8 -> (v_Self & t_Slice u8) -> Type0; - f_squeeze:x0: v_Self -> x1: t_Slice u8 - -> Prims.Pure (v_Self & t_Slice u8) - (f_squeeze_pre x0 x1) - (fun result -> f_squeeze_post x0 x1 result) -} - class t_XofX4 (v_Self: Type0) = { f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; @@ -129,4 +110,23 @@ class t_XofX4 (v_Self: Type0) = { (fun result -> f_shake256_x4_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result) } -let v_BLOCK_SIZE: usize = sz 136 +/// A generic Xof trait +class t_Xof (v_Self: Type0) = { + f_init_pre:Prims.unit -> Type0; + f_init_post:Prims.unit -> v_Self -> Type0; + f_init:x0: Prims.unit -> Prims.Pure v_Self (f_init_pre x0) (fun result -> f_init_post x0 result); + f_absorb_pre:v_Self -> t_Slice u8 -> Type0; + f_absorb_post:v_Self -> t_Slice u8 -> v_Self -> Type0; + f_absorb:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure v_Self (f_absorb_pre x0 x1) (fun result -> f_absorb_post x0 x1 result); + f_absorb_final_pre:v_Self -> t_Slice u8 -> Type0; + f_absorb_final_post:v_Self -> t_Slice u8 -> v_Self -> Type0; + f_absorb_final:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure v_Self (f_absorb_final_pre x0 x1) (fun result -> f_absorb_final_post x0 x1 result); + f_squeeze_pre:v_Self -> t_Slice u8 -> Type0; + f_squeeze_post:v_Self -> t_Slice u8 -> (v_Self & t_Slice u8) -> Type0; + f_squeeze:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure (v_Self & t_Slice u8) + (f_squeeze_pre x0 x1) + (fun result -> f_squeeze_post x0 x1 result) +} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst index fe67aa9fc..2c27cc72d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst @@ -9,42 +9,54 @@ val t_Shake128x4': eqtype let t_Shake128x4 = t_Shake128x4' assume -val t_Shake256': eqtype +val init_absorb': + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 + -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) -let t_Shake256 = t_Shake256' +let init_absorb = init_absorb' assume -val t_Shake256x4': eqtype +val squeeze_first_five_blocks': + state: t_Shake128x4 -> + out0: t_Array u8 (sz 840) -> + out1: t_Array u8 (sz 840) -> + out2: t_Array u8 (sz 840) -> + out3: t_Array u8 (sz 840) + -> Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -let t_Shake256x4 = t_Shake256x4' +let squeeze_first_five_blocks = squeeze_first_five_blocks' -[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 +val squeeze_next_block': state: t_Shake128x4 + -> Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) -let impl = impl' +let squeeze_next_block = squeeze_next_block' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 +val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 -let impl_1 = impl_1' +let impl = impl' -[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 +val t_Shake256': eqtype -let impl_2 = impl_2' +let t_Shake256 = t_Shake256' assume -val init_absorb': - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 - -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) +val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) -let init_absorb = init_absorb' +let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH assume val init_absorb_final_shake256': input: t_Slice u8 @@ -53,44 +65,37 @@ val init_absorb_final_shake256': input: t_Slice u8 let init_absorb_final_shake256 = init_absorb_final_shake256' assume -val init_absorb_x4': - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 - -> Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_block_shake256': state: t_Shake256 + -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -let init_absorb_x4 = init_absorb_x4' +let squeeze_first_block_shake256 = squeeze_first_block_shake256' assume -val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val squeeze_next_block_shake256': state: t_Shake256 + -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH +let squeeze_next_block_shake256 = squeeze_next_block_shake256' +[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val shake256_x4': - v_OUT_LEN: usize -> - input0: t_Slice u8 -> - input1: t_Slice u8 -> - input2: t_Slice u8 -> - input3: t_Slice u8 -> - out0: t_Array u8 v_OUT_LEN -> - out1: t_Array u8 v_OUT_LEN -> - out2: t_Array u8 v_OUT_LEN -> - out3: t_Array u8 v_OUT_LEN - -> Prims.Pure - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - Prims.l_True - (fun _ -> Prims.l_True) +val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 -let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN +let impl_1 = impl_1' assume -val squeeze_first_block_shake256': state: t_Shake256 - -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) +val t_Shake256x4': eqtype -let squeeze_first_block_shake256 = squeeze_first_block_shake256' +let t_Shake256x4 = t_Shake256x4' + +assume +val init_absorb_x4': + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 + -> Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +let init_absorb_x4 = init_absorb_x4' assume val squeeze_first_block_x4': state: t_Shake256x4 @@ -103,40 +108,35 @@ val squeeze_first_block_x4': state: t_Shake256x4 let squeeze_first_block_x4 = squeeze_first_block_x4' assume -val squeeze_first_five_blocks': - state: t_Shake128x4 -> - out0: t_Array u8 (sz 840) -> - out1: t_Array u8 (sz 840) -> - out2: t_Array u8 (sz 840) -> - out3: t_Array u8 (sz 840) +val squeeze_next_block_x4': state: t_Shake256x4 -> Prims.Pure - (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) -let squeeze_first_five_blocks = squeeze_first_five_blocks' +let squeeze_next_block_x4 = squeeze_next_block_x4' assume -val squeeze_next_block': state: t_Shake128x4 +val shake256_x4': + v_OUT_LEN: usize -> + input0: t_Slice u8 -> + input1: t_Slice u8 -> + input2: t_Slice u8 -> + input3: t_Slice u8 -> + out0: t_Array u8 v_OUT_LEN -> + out1: t_Array u8 v_OUT_LEN -> + out2: t_Array u8 v_OUT_LEN -> + out3: t_Array u8 v_OUT_LEN -> Prims.Pure - (t_Shake128x4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -let squeeze_next_block = squeeze_next_block' - -assume -val squeeze_next_block_shake256': state: t_Shake256 - -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) - -let squeeze_next_block_shake256 = squeeze_next_block_shake256' +let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN +[@@ FStar.Tactics.Typeclasses.tcinstance] assume -val squeeze_next_block_x4': state: t_Shake256x4 - -> Prims.Pure - (t_Shake256x4 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - Prims.l_True - (fun _ -> Prims.l_True) +val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 -let squeeze_next_block_x4 = squeeze_next_block_x4' +let impl_2 = impl_2' diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index 109c7ccf9..efb4f88de 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -8,45 +8,48 @@ open FStar.Mul /// version is used. val t_Shake128x4:eqtype -/// AVX2 SHAKE 256 state -val t_Shake256:eqtype +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) -/// AVX2 SHAKE 256 x4 state. -val t_Shake256x4:eqtype +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 +val squeeze_next_block (state: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 +val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 +/// AVX2 SHAKE 256 state +val t_Shake256:eqtype -/// Init the state and absorb 4 blocks in parallel. -val init_absorb (input0 input1 input2 input3: t_Slice u8) - : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) val init_absorb_final_shake256 (input: t_Slice u8) : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) -val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) - : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) - : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -val shake256_x4 - (v_OUT_LEN: usize) - (input0 input1 input2 input3: t_Slice u8) - (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) - : Prims.Pure - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - Prims.l_True - (fun _ -> Prims.l_True) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 -val squeeze_first_block_shake256 (state: t_Shake256) - : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) +/// AVX2 SHAKE 256 x4 state. +val t_Shake256x4:eqtype + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) val squeeze_first_block_x4 (state: t_Shake256x4) : Prims.Pure @@ -55,24 +58,21 @@ val squeeze_first_block_x4 (state: t_Shake256x4) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) - : Prims.Pure - (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) - -val squeeze_next_block (state: t_Shake128x4) +val squeeze_next_block_x4 (state: t_Shake256x4) : Prims.Pure - (t_Shake128x4 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_next_block_shake256 (state: t_Shake256) - : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) - -val squeeze_next_block_x4 (state: t_Shake256x4) +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) : Prims.Pure - (t_Shake256x4 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst index 78a4705b7..433f53e34 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -55,37 +55,6 @@ let vector_times_ring_element in vector -let add_vectors - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (dimension: usize) - (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - = - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - dimension - (fun lhs temp_1_ -> - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in - let _:usize = temp_1_ in - true) - lhs - (fun lhs i -> - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - i - (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit - (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - lhs - let compute_as1_plus_s2 (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -263,6 +232,68 @@ let compute_matrix_x_mask in result +let add_vectors + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + dimension + (fun lhs temp_1_ -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in + let _:usize = temp_1_ in + true) + lhs + (fun lhs i -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + lhs + +let subtract_vectors + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + dimension + (fun lhs temp_1_ -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in + let _:usize = temp_1_ in + true) + lhs + (fun lhs i -> + let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + i + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + lhs + let compute_w_approx (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -363,34 +394,3 @@ let compute_w_approx t1) in t1 - -let subtract_vectors - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (dimension: usize) - (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - = - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - dimension - (fun lhs temp_1_ -> - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in - let _:usize = temp_1_ in - true) - lhs - (fun lhs i -> - let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - i - (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit - (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - lhs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti index 69baf07d6..29c17604b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti @@ -18,15 +18,6 @@ val vector_times_ring_element Prims.l_True (fun _ -> Prims.l_True) -val add_vectors - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (dimension: usize) - (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - Prims.l_True - (fun _ -> Prims.l_True) - /// Compute InvertNTT( ◦ ŝ₁) + s₂ val compute_as1_plus_s2 (#v_SIMDUnit: Type0) @@ -48,15 +39,11 @@ val compute_matrix_x_mask Prims.l_True (fun _ -> Prims.l_True) -/// Compute InvertNTT( ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) -val compute_w_approx +val add_vectors (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (rows_in_a columns_in_a: usize) - (matrix signer_response: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (dimension: usize) + (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) @@ -69,3 +56,16 @@ val subtract_vectors : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) Prims.l_True (fun _ -> Prims.l_True) + +/// Compute InvertNTT( ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +val compute_w_approx + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (rows_in_a columns_in_a: usize) + (matrix signer_response: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index 3506b3983..a765340a9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -37,6 +37,20 @@ let sign context randomness +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( + sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) @@ -59,20 +73,6 @@ let sign_pre_hashed_shake128 let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in out -let verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) - (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( - sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) - let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti index eb77b98a4..271b3e989 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -26,6 +26,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing /// Sign a digest of `message` derived using `pre_hash` with the /// ML-DSA `signing_key`. @@ -41,20 +55,6 @@ val sign_pre_hashed_shake128 (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify an ML-DSA-44 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. -val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) - (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - /// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index 243d5de79..d4f6f883f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -37,6 +37,20 @@ let sign context randomness +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( + sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) @@ -59,20 +73,6 @@ let sign_pre_hashed_shake128 let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in out -let verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) - (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( - sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) - let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti index d7b76e429..b8a48b5dd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -26,6 +26,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing /// Sign a digest of `message` derived using `pre_hash` with the /// ML-DSA `signing_key`. @@ -41,20 +55,6 @@ val sign_pre_hashed_shake128 (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify an ML-DSA-65 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. -val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) - (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - /// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index 56f5baaf3..561b3c090 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -37,6 +37,20 @@ let sign context randomness +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( + sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) @@ -59,20 +73,6 @@ let sign_pre_hashed_shake128 let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in out -let verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) - (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref ( - sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) - let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti index 2dbf4d427..259054199 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -26,6 +26,20 @@ val sign (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + /// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing /// Sign a digest of `message` derived using `pre_hash` with the /// ML-DSA `signing_key`. @@ -41,20 +55,6 @@ val sign_pre_hashed_shake128 (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify an ML-DSA-87 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. -val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) - (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) - /// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst index d4addf2d9..80f671573 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst @@ -46,61 +46,65 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification let _:Prims.unit = () in signing_key, verification_key <: (t_Slice u8 & t_Slice u8) -let sign___inner - (signing_key: t_Array u8 (sz 2560)) +let verify___inner + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign - (signing_key: t_Array u8 (sz 2560)) +let verify + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = sign___inner signing_key message context randomness + (signature: t_Array u8 (sz 2420)) + = verify___inner verification_key message context signature -let sign_mut___inner - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - let tmp0, out:(t_Array u8 (sz 2420) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message - context randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 2420) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let sign_mut - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - let tmp0, out:(t_Array u8 (sz 2420) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_mut___inner signing_key message context randomness signature + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 2420) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 2560)) @@ -150,62 +154,58 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) -let verify___inner - (verification_key: t_Array u8 (sz 1312)) - (message context: t_Slice u8) - (signature: t_Array u8 (sz 2420)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify - (verification_key: t_Array u8 (sz 1312)) +let sign_mut___inner + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) - (signature: t_Array u8 (sz 2420)) - = verify___inner verification_key message context signature - -let verify_pre_hashed_shake128___inner - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message + context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) +let sign_mut + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut___inner signing_key message context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti index 0a6cd9f8c..56211286c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti @@ -26,41 +26,39 @@ val generate_key_pair___inner val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val sign___inner - (signing_key: t_Array u8 (sz 2560)) +val verify___inner + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 2560)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -val sign_mut___inner - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) : Prims.Pure - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) : Prims.Pure - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -83,38 +81,40 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val verify___inner - (verification_key: t_Array u8 (sz 1312)) +val sign_mut___inner + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 1312)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val verify_pre_hashed_shake128___inner - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 2420)) +val sign___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 2420)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst index 384431e2f..52d3bf949 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst @@ -46,61 +46,65 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification let _:Prims.unit = () in signing_key, verification_key <: (t_Slice u8 & t_Slice u8) -let sign___inner - (signing_key: t_Array u8 (sz 4032)) +let verify___inner + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign - (signing_key: t_Array u8 (sz 4032)) +let verify + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = sign___inner signing_key message context randomness + (signature: t_Array u8 (sz 3309)) + = verify___inner verification_key message context signature -let sign_mut___inner - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - let tmp0, out:(t_Array u8 (sz 3309) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message - context randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 3309) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let sign_mut - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - let tmp0, out:(t_Array u8 (sz 3309) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_mut___inner signing_key message context randomness signature + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 3309) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 4032)) @@ -150,62 +154,58 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) -let verify___inner - (verification_key: t_Array u8 (sz 1952)) - (message context: t_Slice u8) - (signature: t_Array u8 (sz 3309)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify - (verification_key: t_Array u8 (sz 1952)) +let sign_mut___inner + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) - (signature: t_Array u8 (sz 3309)) - = verify___inner verification_key message context signature - -let verify_pre_hashed_shake128___inner - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message + context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) +let sign_mut + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut___inner signing_key message context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti index 73beab56d..2faca95fc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti @@ -26,41 +26,39 @@ val generate_key_pair___inner val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val sign___inner - (signing_key: t_Array u8 (sz 4032)) +val verify___inner + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 4032)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -val sign_mut___inner - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) : Prims.Pure - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) : Prims.Pure - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -83,38 +81,40 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val verify___inner - (verification_key: t_Array u8 (sz 1952)) +val sign_mut___inner + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 1952)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val verify_pre_hashed_shake128___inner - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 3309)) +val sign___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 3309)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst index 85209dee4..ccf1518d3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst @@ -46,61 +46,65 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification let _:Prims.unit = () in signing_key, verification_key <: (t_Slice u8 & t_Slice u8) -let sign___inner - (signing_key: t_Array u8 (sz 4896)) +let verify___inner + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign - (signing_key: t_Array u8 (sz 4896)) +let verify + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = sign___inner signing_key message context randomness + (signature: t_Array u8 (sz 4627)) + = verify___inner verification_key message context signature -let sign_mut___inner - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - let tmp0, out:(t_Array u8 (sz 4627) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message - context randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 4627) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) -let sign_mut - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - let tmp0, out:(t_Array u8 (sz 4627) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_mut___inner signing_key message context randomness signature + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 4627) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128___inner (signing_key: t_Array u8 (sz 4896)) @@ -150,62 +154,58 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) -let verify___inner - (verification_key: t_Array u8 (sz 2592)) - (message context: t_Slice u8) - (signature: t_Array u8 (sz 4627)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify - (verification_key: t_Array u8 (sz 2592)) +let sign_mut___inner + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) - (signature: t_Array u8 (sz 4627)) - = verify___inner verification_key message context signature - -let verify_pre_hashed_shake128___inner - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message + context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) +let sign_mut + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut___inner signing_key message context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti index a119375c4..a31bd4f28 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti @@ -26,41 +26,39 @@ val generate_key_pair___inner val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val sign___inner - (signing_key: t_Array u8 (sz 4896)) +val verify___inner + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 4896)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -val sign_mut___inner - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) : Prims.Pure - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) : Prims.Pure - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -83,38 +81,40 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val verify___inner - (verification_key: t_Array u8 (sz 2592)) +val sign_mut___inner + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 2592)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val verify_pre_hashed_shake128___inner - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 4627)) +val sign___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 4627)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst index da2a3cd8c..76a0ded63 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst @@ -38,38 +38,42 @@ let generate_key_pair let _:Prims.unit = () in signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) -let sign - (signing_key: t_Array u8 (sz 2560)) +let verify + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign_mut - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - let tmp0, out:(t_Array u8 (sz 2420) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 2420) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) @@ -98,39 +102,35 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key: t_Array u8 (sz 1312)) +let sign_mut + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 2420)) - = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti index 858d01f49..ac5638d31 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti @@ -24,23 +24,22 @@ val generate_key_pair (verification_key: t_Array u8 (sz 1312)) : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 2560)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) : Prims.Pure - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -54,21 +53,22 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 1312)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 2420)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst index 692bdeb30..212b7662d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst @@ -38,38 +38,42 @@ let generate_key_pair let _:Prims.unit = () in signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) -let sign - (signing_key: t_Array u8 (sz 4032)) +let verify + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign_mut - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - let tmp0, out:(t_Array u8 (sz 3309) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 3309) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) @@ -98,39 +102,35 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key: t_Array u8 (sz 1952)) +let sign_mut + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 3309)) - = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti index 3319e50fb..6257ec9d2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti @@ -24,23 +24,22 @@ val generate_key_pair (verification_key: t_Array u8 (sz 1952)) : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 4032)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) : Prims.Pure - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -54,21 +53,22 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 1952)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 3309)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst index 736cfca36..be5024db5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst @@ -38,38 +38,42 @@ let generate_key_pair let _:Prims.unit = () in signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) -let sign - (signing_key: t_Array u8 (sz 4896)) +let verify + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign_mut - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - let tmp0, out:(t_Array u8 (sz 4627) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context - randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 4627) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) @@ -98,39 +102,35 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key: t_Array u8 (sz 2592)) +let sign_mut + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 4627)) - = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti index 70e139689..87bb641fc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti @@ -24,23 +24,22 @@ val generate_key_pair (verification_key: t_Array u8 (sz 2592)) : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 4896)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) : Prims.Pure - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -54,21 +53,22 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 2592)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 4627)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst index 888e90ff3..d638a5ddc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst @@ -37,40 +37,43 @@ let generate_key_pair let _:Prims.unit = () in signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) -let sign - (signing_key: t_Array u8 (sz 2560)) +let verify + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign_mut - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) = - let tmp0, out:(t_Array u8 (sz 2420) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message - context randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 2420) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) @@ -100,40 +103,37 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key: t_Array u8 (sz 1312)) +let sign_mut + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 2420)) - = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message + context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti index 347cf611d..f7b11a447 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti @@ -23,23 +23,22 @@ val generate_key_pair (verification_key: t_Array u8 (sz 1312)) : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 2560)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 2420)) : Prims.Pure - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -53,21 +52,22 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 1312)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 2420)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst index 320ff0fd1..53a22f65c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst @@ -37,40 +37,43 @@ let generate_key_pair let _:Prims.unit = () in signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) -let sign - (signing_key: t_Array u8 (sz 4032)) +let verify + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign_mut - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) = - let tmp0, out:(t_Array u8 (sz 3309) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message - context randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 3309) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) @@ -100,40 +103,37 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key: t_Array u8 (sz 1952)) +let sign_mut + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 3309)) - = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message + context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti index a101743e2..adb96c62c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti @@ -23,23 +23,22 @@ val generate_key_pair (verification_key: t_Array u8 (sz 1952)) : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 4032)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 3309)) : Prims.Pure - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -53,21 +52,22 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 1952)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 3309)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst index 6c59d201b..d038fa979 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst @@ -37,40 +37,43 @@ let generate_key_pair let _:Prims.unit = () in signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) -let sign - (signing_key: t_Array u8 (sz 4896)) +let verify + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context - randomness + verification_key + message + context + signature -let sign_mut - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) = - let tmp0, out:(t_Array u8 (sz 4627) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message - context randomness signature + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature in - let signature:t_Array u8 (sz 4627) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output <: - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) @@ -100,40 +103,37 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key: t_Array u8 (sz 2592)) +let sign_mut + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof - verification_key - message - context - signature - -let verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 4627)) - = - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_mut #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - verification_key message context pre_hash_buffer signature - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = - out + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message + context randomness signature in - pre_hash_buffer, hax_temp_output + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti index 61e6daa3b..665f6e50a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti @@ -23,23 +23,22 @@ val generate_key_pair (verification_key: t_Array u8 (sz 2592)) : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (signing_key: t_Array u8 (sz 4896)) +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) -/// Sign. -val sign_mut - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) (signature: t_Array u8 (sz 4627)) : Prims.Pure - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -53,21 +52,22 @@ val sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify. -val verify - (verification_key: t_Array u8 (sz 2592)) +/// Sign. +val sign_mut + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify (pre-hashed with SHAKE-128). -val verify_pre_hashed_shake128 - (verification_key: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature: t_Array u8 (sz 4627)) +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - Prims.l_True - (fun _ -> Prims.l_True) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst index 5844e378d..3485095c3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst @@ -14,6 +14,209 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + let verify_internal (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -938,136 +1141,36 @@ let sign_internal <: (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let sign_mut - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let sign_pre_hashed_mut + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 2420)) = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let tmp0, out:(t_Array u8 (sz 2420) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - signature - in - let signature:t_Array u8 (sz 2420) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output - <: - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err _ -> - signature, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - <: - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = - Libcrux_ml_dsa.Types.impl_4__zero (sz 2420) () - in - let tmp0, out:(t_Array u8 (sz 2420) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value - in - let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = - { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } - <: - Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) - in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with - | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok signature - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError - -let sign_pre_hashed_mut - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - (signature: t_Array u8 (sz 2420)) - = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - pre_hash_buffer, + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) @@ -1189,7 +1292,7 @@ let sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) -let generate_key_pair +let sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: @@ -1207,187 +1310,84 @@ let generate_key_pair (#[FStar.Tactics.Typeclasses.tcresolve ()] i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) + (signature: t_Array u8 (sz 2420)) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE - <: - bool) - in - () - in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. - v_VERIFICATION_KEY_SIZE - <: - bool) - in - () - in - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = - [ - cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) <: u8; - cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 16) - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - seed_for_a - a_as_ntt - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA - seed_for_error_vectors - s1_s2 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1_ntt - (s1_s2.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun s1_ntt temp_1_ -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - s1_ntt - in - let _:usize = temp_1_ in - true) - s1_ntt - (fun s1_ntt i -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - s1_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - t0 - in - let _:Prims.unit = () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 4) - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 2420) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 2420) () in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in - let _:Prims.unit = () in - let verification_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - seed_for_a - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verification_key + let tmp0, out:(t_Array u8 (sz 2420) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value in - let signing_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a - seed_for_signing verification_key - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti index c55d05042..3bfefb3d8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti @@ -14,16 +14,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_BETA: i32 = - Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A -let v_COMMITMENT_VECTOR_SIZE: usize = - Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A let v_ERROR_RING_ELEMENT_SIZE: usize = Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_ERROR_COEFFICIENT @@ -31,20 +28,16 @@ let v_ERROR_RING_ELEMENT_SIZE: usize = let v_GAMMA1_RING_ELEMENT_SIZE: usize = Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT -let v_ROW_COLUMN: usize = - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +! - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT -let v_ROW_X_COLUMN: usize = - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A *! - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA -let v_SIGNATURE_SIZE: usize = - Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A let v_SIGNING_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A @@ -54,6 +47,25 @@ let v_SIGNING_KEY_SIZE: usize = let v_VERIFICATION_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. @@ -122,36 +134,6 @@ val sign_internal Prims.l_True (fun _ -> Prims.l_True) -val sign_mut - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - (signature: t_Array u8 (sz 2420)) - : Prims.Pure - (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - Prims.l_True - (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - val sign_pre_hashed_mut (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) @@ -190,7 +172,7 @@ val sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val generate_key_pair +val sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} @@ -198,6 +180,24 @@ val generate_key_pair {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst index 9cd43f56e..360da2cbd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst @@ -14,6 +14,209 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 11) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + let verify_internal (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -938,136 +1141,36 @@ let sign_internal <: (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let sign_mut - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let sign_pre_hashed_mut + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 3309)) = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let tmp0, out:(t_Array u8 (sz 3309) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - signature - in - let signature:t_Array u8 (sz 3309) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output - <: - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err _ -> - signature, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - <: - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = - Libcrux_ml_dsa.Types.impl_4__zero (sz 3309) () - in - let tmp0, out:(t_Array u8 (sz 3309) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value - in - let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = - { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } - <: - Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) - in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with - | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok signature - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError - -let sign_pre_hashed_mut - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - (signature: t_Array u8 (sz 3309)) - = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - pre_hash_buffer, + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) @@ -1189,7 +1292,7 @@ let sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) -let generate_key_pair +let sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: @@ -1207,187 +1310,84 @@ let generate_key_pair (#[FStar.Tactics.Typeclasses.tcresolve ()] i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) + (signature: t_Array u8 (sz 3309)) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE - <: - bool) - in - () - in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. - v_VERIFICATION_KEY_SIZE - <: - bool) - in - () - in - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = - [ - cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) <: u8; - cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 30) - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - seed_for_a - a_as_ntt - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 11) - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA - seed_for_error_vectors - s1_s2 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 5) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1_ntt - (s1_s2.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun s1_ntt temp_1_ -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - s1_ntt - in - let _:usize = temp_1_ in - true) - s1_ntt - (fun s1_ntt i -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = - s1_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - t0 - in - let _:Prims.unit = () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 6) - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 3309) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 3309) () in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in - let _:Prims.unit = () in - let verification_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - seed_for_a - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verification_key + let tmp0, out:(t_Array u8 (sz 3309) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value in - let signing_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a - seed_for_signing verification_key - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti index dc9e55a43..9ee55137b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti @@ -14,16 +14,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_BETA: i32 = - Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A -let v_COMMITMENT_VECTOR_SIZE: usize = - Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A let v_ERROR_RING_ELEMENT_SIZE: usize = Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_ERROR_COEFFICIENT @@ -31,20 +28,16 @@ let v_ERROR_RING_ELEMENT_SIZE: usize = let v_GAMMA1_RING_ELEMENT_SIZE: usize = Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT -let v_ROW_COLUMN: usize = - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +! - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT -let v_ROW_X_COLUMN: usize = - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A *! - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA -let v_SIGNATURE_SIZE: usize = - Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A let v_SIGNING_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A @@ -54,6 +47,25 @@ let v_SIGNING_KEY_SIZE: usize = let v_VERIFICATION_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. @@ -122,36 +134,6 @@ val sign_internal Prims.l_True (fun _ -> Prims.l_True) -val sign_mut - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - (signature: t_Array u8 (sz 3309)) - : Prims.Pure - (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - Prims.l_True - (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - val sign_pre_hashed_mut (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) @@ -190,7 +172,7 @@ val sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val generate_key_pair +val sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} @@ -198,6 +180,24 @@ val generate_key_pair {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst index a2fc8ab3e..ba603d134 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst @@ -14,6 +14,209 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 15) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + let verify_internal (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -940,136 +1143,36 @@ let sign_internal <: (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) -let sign_mut - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) +let sign_pre_hashed_mut + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) (randomness: t_Array u8 (sz 32)) (signature: t_Array u8 (sz 4627)) = - match - Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) - <: - Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext - Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - with - | Core.Result.Result_Ok dsc -> - let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in - let tmp0, out:(t_Array u8 (sz 4627) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message - (Core.Option.Option_Some domain_separation_context - <: - Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - signature - in - let signature:t_Array u8 (sz 4627) = tmp0 in - let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in - signature, hax_temp_output - <: - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err _ -> - signature, - (Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - <: - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - -let sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - = - let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = - Libcrux_ml_dsa.Types.impl_4__zero (sz 4627) () - in - let tmp0, out:(t_Array u8 (sz 4627) & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = - sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 - signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value - in - let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = - { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } - <: - Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) - in - match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with - | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok signature - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Result.Result_Err e -> - Core.Result.Result_Err e - <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError - -let sign_pre_hashed_mut - (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: - Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: - Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i12: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i13: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i14: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) - (signing_key message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - (signature: t_Array u8 (sz 4627)) - = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - pre_hash_buffer, + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, signature, (Core.Result.Result_Err (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) @@ -1191,7 +1294,7 @@ let sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) -let generate_key_pair +let sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: @@ -1209,187 +1312,84 @@ let generate_key_pair (#[FStar.Tactics.Typeclasses.tcresolve ()] i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) + (signature: t_Array u8 (sz 4627)) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE - <: - bool) - in - () - in - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. - v_VERIFICATION_KEY_SIZE - <: - bool) - in - () - in - let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:v_Shake256Xof = - Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - ((let list = - [ - cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) <: u8; - cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:v_Shake256Xof = tmp0 in - let seed_expanded:t_Array u8 (sz 128) = tmp1 in - let _:Prims.unit = () in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 56) - in - let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = - Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler - #FStar.Tactics.Typeclasses.solve - #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - seed_for_a - a_as_ntt - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 15) - in - let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA - seed_for_error_vectors - s1_s2 - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 7) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - s1_ntt - (s1_s2.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - in - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - <: - usize) - (fun s1_ntt temp_1_ -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - s1_ntt - in - let _:usize = temp_1_ in - true) - s1_ntt - (fun s1_ntt i -> - let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = - s1_ntt - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) - in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - t0 - in - let _:Prims.unit = () in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (sz 8) - in - let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + signature + in + let signature:t_Array u8 (sz 4627) = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in + signature, hax_temp_output + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + signature, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = + Libcrux_ml_dsa.Types.impl_4__zero (sz 4627) () in - let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in - let _:Prims.unit = () in - let verification_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - seed_for_a - (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - verification_key + let tmp0, out:(t_Array u8 (sz 4627) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) = + sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value in - let signing_key:t_Slice u8 = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a - seed_for_signing verification_key - (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) = + { signature with Libcrux_ml_dsa.Types.f_value = tmp0 } + <: + Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) in - signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok signature + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti index 1185fe9ef..5329c699e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti @@ -14,16 +14,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_BETA: i32 = - Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A -let v_COMMITMENT_VECTOR_SIZE: usize = - Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A let v_ERROR_RING_ELEMENT_SIZE: usize = Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_ERROR_COEFFICIENT @@ -31,20 +28,16 @@ let v_ERROR_RING_ELEMENT_SIZE: usize = let v_GAMMA1_RING_ELEMENT_SIZE: usize = Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT -let v_ROW_COLUMN: usize = - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +! - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT -let v_ROW_X_COLUMN: usize = - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A *! - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA -let v_SIGNATURE_SIZE: usize = - Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE - Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A let v_SIGNING_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A @@ -54,6 +47,25 @@ let v_SIGNING_KEY_SIZE: usize = let v_VERIFICATION_KEY_SIZE: usize = Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// The internal verification API. /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. @@ -122,36 +134,6 @@ val sign_internal Prims.l_True (fun _ -> Prims.l_True) -val sign_mut - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - (signature: t_Array u8 (sz 4627)) - : Prims.Pure - (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) - Prims.l_True - (fun _ -> Prims.l_True) - -val sign - (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (signing_key message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - val sign_pre_hashed_mut (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) @@ -190,7 +172,7 @@ val sign_pre_hashed Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -val generate_key_pair +val sign_mut (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} @@ -198,6 +180,24 @@ val generate_key_pair {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) - (signing_key verification_key: t_Slice u8) - : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst index 6b04e42e0..a5945b5b9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst @@ -45,29 +45,84 @@ let generate_key_pair in signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) -let sign - (signing_key: t_Array u8 (sz 2560)) +let verify + (verification_key_serialized: t_Array u8 (sz 1312)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature_serialized: t_Array u8 (sz 2420)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify verification_key_serialized message context - randomness + signature_serialized else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify verification_key_serialized message context - randomness + signature_serialized else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify verification_key_serialized message context - randomness + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 2560)) @@ -135,81 +190,26 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key_serialized: t_Array u8 (sz 1312)) +let sign + (signing_key: t_Array u8 (sz 2560)) (message context: t_Slice u8) - (signature_serialized: t_Array u8 (sz 2420)) + (randomness: t_Array u8 (sz 32)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign signing_key message context - signature_serialized + randomness else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign signing_key message context - signature_serialized + randomness else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign signing_key message context - signature_serialized - -let verify_pre_hashed_shake128 - (verification_key_serialized: t_Array u8 (sz 1312)) - (message context pre_hash_buffer: t_Slice u8) - (signature_serialized: t_Array u8 (sz 2420)) - = - let pre_hash_buffer, hax_temp_output:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - if Libcrux_platform.Platform.simd256_support () - then - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - else - if Libcrux_platform.Platform.simd128_support () - then - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - else - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 - verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti index 86e20ee9e..e2a7ee51f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti @@ -9,23 +9,6 @@ val generate_key_pair (verification_key: t_Array u8 (sz 1312)) : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) -val sign - (signing_key: t_Array u8 (sz 2560)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed_shake128 - (signing_key: t_Array u8 (sz 2560)) - (message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - val verify (verification_key_serialized: t_Array u8 (sz 1312)) (message context: t_Slice u8) @@ -42,3 +25,20 @@ val verify_pre_hashed_shake128 (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst index b6a00d573..1011d50ee 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst @@ -45,29 +45,84 @@ let generate_key_pair in signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) -let sign - (signing_key: t_Array u8 (sz 4032)) +let verify + (verification_key_serialized: t_Array u8 (sz 1952)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature_serialized: t_Array u8 (sz 3309)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify verification_key_serialized message context - randomness + signature_serialized else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify verification_key_serialized message context - randomness + signature_serialized else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify verification_key_serialized message context - randomness + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4032)) @@ -135,81 +190,26 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key_serialized: t_Array u8 (sz 1952)) +let sign + (signing_key: t_Array u8 (sz 4032)) (message context: t_Slice u8) - (signature_serialized: t_Array u8 (sz 3309)) + (randomness: t_Array u8 (sz 32)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign signing_key message context - signature_serialized + randomness else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign signing_key message context - signature_serialized + randomness else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign signing_key message context - signature_serialized - -let verify_pre_hashed_shake128 - (verification_key_serialized: t_Array u8 (sz 1952)) - (message context pre_hash_buffer: t_Slice u8) - (signature_serialized: t_Array u8 (sz 3309)) - = - let pre_hash_buffer, hax_temp_output:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - if Libcrux_platform.Platform.simd256_support () - then - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - else - if Libcrux_platform.Platform.simd128_support () - then - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - else - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 - verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti index c19ae6a03..582230367 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti @@ -9,23 +9,6 @@ val generate_key_pair (verification_key: t_Array u8 (sz 1952)) : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) -val sign - (signing_key: t_Array u8 (sz 4032)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed_shake128 - (signing_key: t_Array u8 (sz 4032)) - (message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - val verify (verification_key_serialized: t_Array u8 (sz 1952)) (message context: t_Slice u8) @@ -42,3 +25,20 @@ val verify_pre_hashed_shake128 (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst index 5e27cee1a..763ac4879 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst @@ -45,29 +45,84 @@ let generate_key_pair in signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) -let sign - (signing_key: t_Array u8 (sz 4896)) +let verify + (verification_key_serialized: t_Array u8 (sz 2592)) (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) + (signature_serialized: t_Array u8 (sz 4627)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify verification_key_serialized message context - randomness + signature_serialized else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify verification_key_serialized message context - randomness + signature_serialized else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign signing_key + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify verification_key_serialized message context - randomness + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) let sign_pre_hashed_shake128 (signing_key: t_Array u8 (sz 4896)) @@ -135,81 +190,26 @@ let sign_pre_hashed_shake128 Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) -let verify - (verification_key_serialized: t_Array u8 (sz 2592)) +let sign + (signing_key: t_Array u8 (sz 4896)) (message context: t_Slice u8) - (signature_serialized: t_Array u8 (sz 4627)) + (randomness: t_Array u8 (sz 32)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign signing_key message context - signature_serialized + randomness else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign signing_key message context - signature_serialized + randomness else - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify verification_key_serialized + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign signing_key message context - signature_serialized - -let verify_pre_hashed_shake128 - (verification_key_serialized: t_Array u8 (sz 2592)) - (message context pre_hash_buffer: t_Slice u8) - (signature_serialized: t_Array u8 (sz 4627)) - = - let pre_hash_buffer, hax_temp_output:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - if Libcrux_platform.Platform.simd256_support () - then - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - else - if Libcrux_platform.Platform.simd128_support () - then - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - else - let tmp0, out:(t_Slice u8 & - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 - verification_key_serialized - message - context - pre_hash_buffer - signature_serialized - in - let pre_hash_buffer:t_Slice u8 = tmp0 in - pre_hash_buffer, out - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) - in - pre_hash_buffer, hax_temp_output - <: - (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + randomness diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti index d90ff6e68..cfae2b9cf 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti @@ -9,23 +9,6 @@ val generate_key_pair (verification_key: t_Array u8 (sz 2592)) : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) -val sign - (signing_key: t_Array u8 (sz 4896)) - (message context: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - -val sign_pre_hashed_shake128 - (signing_key: t_Array u8 (sz 4896)) - (message context pre_hash_buffer: t_Slice u8) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure - (t_Slice u8 & - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) - Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) - val verify (verification_key_serialized: t_Array u8 (sz 2592)) (message context: t_Slice u8) @@ -42,3 +25,20 @@ val verify_pre_hashed_shake128 (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index f79c280f8..75ba16f21 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -9,7 +9,7 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let invert_ntt_montgomery +let ntt (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -21,7 +21,7 @@ let invert_ntt_montgomery re with Libcrux_ml_dsa.Polynomial.f_simd_units = - Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_montgomery #v_SIMDUnit + Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit #FStar.Tactics.Typeclasses.solve re.Libcrux_ml_dsa.Polynomial.f_simd_units } @@ -30,7 +30,7 @@ let invert_ntt_montgomery in re -let ntt +let invert_ntt_montgomery (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -42,7 +42,7 @@ let ntt re with Libcrux_ml_dsa.Polynomial.f_simd_units = - Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit + Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_montgomery #v_SIMDUnit #FStar.Tactics.Typeclasses.solve re.Libcrux_ml_dsa.Polynomial.f_simd_units } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti index 1c6b919dc..a64077ec7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -9,7 +9,7 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -val invert_ntt_montgomery +val ntt (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -17,7 +17,7 @@ val invert_ntt_montgomery Prims.l_True (fun _ -> Prims.l_True) -val ntt +val invert_ntt_montgomery (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index cdb574003..0ce22c939 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -41,6 +41,81 @@ let impl_2 Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) = impl_2' #v_SIMDUnit #i1 #i2 +let impl__zero + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (_: Prims.unit) + = + { + f_simd_units + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + () + <: + v_SIMDUnit) + (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit + +let impl__to_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range result + ({ + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + (result.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + t_Slice i32) + <: + t_Array i32 (sz 256)) + in + result + let impl__from_i32_array (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -102,25 +177,35 @@ let impl__from_i32_array in result -let impl__zero +let impl__infinity_norm_exceeds (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (_: Prims.unit) + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) = - { - f_simd_units - = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - () - <: - v_SIMDUnit) - (sz 32) - } - <: - t_PolynomialRingElement v_SIMDUnit + let result:bool = false in + let result:bool = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun result temp_1_ -> + let result:bool = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:bool = result in + let i:usize = i in + result || + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + bound + <: + bool)) + in + result let impl__add (#v_SIMDUnit: Type0) @@ -160,36 +245,6 @@ let impl__add in self -let impl__infinity_norm_exceeds - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self: t_PolynomialRingElement v_SIMDUnit) - (bound: i32) - = - let result:bool = false in - let result:bool = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun result temp_1_ -> - let result:bool = result in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:bool = result in - let i:usize = i in - result || - (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: v_SIMDUnit) - bound - <: - bool)) - in - result - let impl__subtract (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -227,58 +282,3 @@ let impl__subtract t_PolynomialRingElement v_SIMDUnit) in self - -let impl__to_i32_array - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self: t_PolynomialRingElement v_SIMDUnit) - = - let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in - let result:t_Array i32 (sz 256) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) - (fun result temp_1_ -> - let result:t_Array i32 (sz 256) = result in - let _:usize = temp_1_ in - true) - result - (fun result temp_1_ -> - let result:t_Array i32 (sz 256) = result in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range result - ({ - Core.Ops.Range.f_start - = - i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - (result.[ { - Core.Ops.Range.f_start - = - i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i32) - <: - t_Slice i32) - <: - t_Array i32 (sz 256)) - in - result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti index 9667cb818..96754394f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -27,23 +27,23 @@ val impl_2 {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} : Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit) -val impl__from_i32_array - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (array: t_Slice i32) - (result: t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) - val impl__zero: #v_SIMDUnit: Type0 -> {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> Prims.unit -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val impl__add +val impl__to_i32_array (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self rhs: t_PolynomialRingElement v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) + +val impl__from_i32_array + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (array: t_Slice i32) + (result: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val impl__infinity_norm_exceeds @@ -53,14 +53,14 @@ val impl__infinity_norm_exceeds (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -val impl__subtract +val impl__add (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (self rhs: t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val impl__to_i32_array +val impl__subtract (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self: t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst index 55181b452..7e03b9607 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -9,45 +9,6 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in () -let impl_1__context (self: t_DomainSeparationContext) = self.f_context - -let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid - -let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = - match x <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> isz 0 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = - { - f_from_pre = (fun (e: t_DomainSeparationError) -> true); - f_from_post - = - (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true); - f_from - = - fun (e: t_DomainSeparationError) -> - match e <: t_DomainSeparationError with - | DomainSeparationError_ContextTooLongError -> - Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError = - { - f_from_pre = (fun (e: t_DomainSeparationError) -> true); - f_from_post - = - (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true); - f_from - = - fun (e: t_DomainSeparationError) -> - match e <: t_DomainSeparationError with - | DomainSeparationError_ContextTooLongError -> - Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError - } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: t_PreHash t_SHAKE128_PH = { @@ -105,6 +66,9 @@ let impl: t_PreHash t_SHAKE128_PH = output } +let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = + match x <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> isz 0 + let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then @@ -116,3 +80,39 @@ let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Arr ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) <: Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + +let impl_1__context (self: t_DomainSeparationContext) = self.f_context + +let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e <: t_DomainSeparationError with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e <: t_DomainSeparationError with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti index 37b79c9e3..d1cdd00e7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -9,25 +9,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in () -/// Binds the context string to an optional pre-hash OID identifying -/// the hash function or XOF used for pre-hashing. -type t_DomainSeparationContext = { - f_context:t_Slice u8; - f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11)) -} - -/// Returns the context, guaranteed to be at most 255 bytes long. -val impl_1__context (self: t_DomainSeparationContext) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Returns the pre-hash OID, if any. -val impl_1__pre_hash_oid (self: t_DomainSeparationContext) - : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True) - -type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError - -val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) - : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) +let v_PRE_HASH_OID_LEN: usize = sz 11 class t_PreHash (v_Self: Type0) = { f_oid_pre:Prims.unit -> Type0; @@ -61,24 +43,42 @@ class t_PreHash (v_Self: Type0) = { /// digest length 256 bytes. type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH -let v_PRE_HASH_OID_LEN: usize = sz 11 - let v_SHAKE128_OID: t_Array u8 (sz 11) = let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); Rust_primitives.Hax.array_of_list 11 list [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError +val impl:t_PreHash t_SHAKE128_PH -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError +/// Binds the context string to an optional pre-hash OID identifying +/// the hash function or XOF used for pre-hashing. +type t_DomainSeparationContext = { + f_context:t_Slice u8; + f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11)) +} -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:t_PreHash t_SHAKE128_PH +type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError + +val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) /// `context` must be at most 255 bytes long. val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) Prims.l_True (fun _ -> Prims.l_True) + +/// Returns the context, guaranteed to be at most 255 bytes long. +val impl_1__context (self: t_DomainSeparationContext) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Returns the pre-hash OID, if any. +val impl_1__pre_hash_oid (self: t_DomainSeparationContext) + : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index b5b5bafcc..50bc7ca6b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -14,198 +14,6 @@ let _ = let generate_domain_separator (row, column: (u8 & u8)) = (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < - let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in - let random_bytes:t_Slice u8 = random_bytes in - if ~.done <: bool - then - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - random_bytes - (out.[ { Core.Ops.Range.f_start = sampled_coefficients } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice i32) - in - let out:t_Array i32 (sz 263) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out - ({ Core.Ops.Range.f_start = sampled_coefficients } - <: - Core.Ops.Range.t_RangeFrom usize) - tmp0 - in - let sampled:usize = out1 in - let sampled_coefficients:usize = sampled_coefficients +! sampled in - if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let done:bool = true in - done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) - else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) - else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) - in - let hax_temp_output:bool = done in - sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) - -let rejection_sample_less_than_eta_equals_4_ - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (randomness: t_Slice u8) - (sampled_coefficients: usize) - (out: t_Array i32 (sz 263)) - = - let done:bool = false in - let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact - u8) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) - <: - Core.Slice.Iter.t_ChunksExact u8) - (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) - (fun temp_0_ random_bytes -> - let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in - let random_bytes:t_Slice u8 = random_bytes in - if ~.done <: bool - then - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - random_bytes - (out.[ { Core.Ops.Range.f_start = sampled_coefficients } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice i32) - in - let out:t_Array i32 (sz 263) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out - ({ Core.Ops.Range.f_start = sampled_coefficients } - <: - Core.Ops.Range.t_RangeFrom usize) - tmp0 - in - let sampled:usize = out1 in - let sampled_coefficients:usize = sampled_coefficients +! sampled in - if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let done:bool = true in - done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) - else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) - else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) - in - let hax_temp_output:bool = done in - sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) - -let rejection_sample_less_than_eta - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (randomness: t_Slice u8) - (sampled: usize) - (out: t_Array i32 (sz 263)) - = - let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = - match eta <: Libcrux_ml_dsa.Constants.t_Eta with - | Libcrux_ml_dsa.Constants.Eta_Two -> - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out - in - let sampled:usize = tmp0 in - let out:t_Array i32 (sz 263) = tmp1 in - (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 - <: - ((t_Array i32 (sz 263) & usize) & bool) - | Libcrux_ml_dsa.Constants.Eta_Four -> - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out - in - let sampled:usize = tmp0 in - let out:t_Array i32 (sz 263) = tmp1 in - (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 - <: - ((t_Array i32 (sz 263) & usize) & bool) - in - sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) - -let rejection_sample_less_than_field_modulus - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (randomness: t_Slice u8) - (sampled_coefficients: usize) - (out: t_Array i32 (sz 263)) - = - let done:bool = false in - let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact - u8) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks_exact #u8 randomness (sz 24) <: Core.Slice.Iter.t_ChunksExact u8) - <: - Core.Slice.Iter.t_ChunksExact u8) - (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) - (fun temp_0_ random_bytes -> - let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in - let random_bytes:t_Slice u8 = random_bytes in - if ~.done <: bool - then - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_field_modulus #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - random_bytes - (out.[ { Core.Ops.Range.f_start = sampled_coefficients } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice i32) - in - let out:t_Array i32 (sz 263) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out - ({ Core.Ops.Range.f_start = sampled_coefficients } - <: - Core.Ops.Range.t_RangeFrom usize) - tmp0 - in - let sampled:usize = out1 in - let sampled_coefficients:usize = sampled_coefficients +! sampled in - if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let done:bool = true in - done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) - else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) - else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) - in - let hax_temp_output:bool = done in - sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) - let add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) = let out:t_Array u8 (sz 34) = Rust_primitives.Hax.repeat 0uy (sz 34) in let out:t_Array u8 (sz 34) = @@ -242,6 +50,9 @@ let add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) = in out +let sample_up_to_four_ring_elements_flat__xy (index width: usize) = + (cast (index /! width <: usize) <: u8), (cast (index %! width <: usize) <: u8) <: (u8 & u8) + let add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) = let out:t_Array u8 (sz 66) = Rust_primitives.Hax.repeat 0uy (sz 66) in let out:t_Array u8 (sz 66) = @@ -327,448 +138,812 @@ let inside_out_shuffle let hax_temp_output:bool = done in out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) -let sample_challenge_ring_element - (#v_SIMDUnit #v_Shake256: Type0) +let rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks_exact #u8 randomness (sz 24) <: Core.Slice.Iter.t_ChunksExact u8) + <: + Core.Slice.Iter.t_ChunksExact u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_field_modulus #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let sample_up_to_four_ring_elements_flat + (#v_SIMDUnit #v_Shake128: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) + (columns: usize) (seed: t_Slice u8) - (number_of_ones: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) + (tmp_stack: t_Slice (t_Array i32 (sz 263))) + (start_index elements_requested: usize) = - let state:v_Shake256 = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256 - #FStar.Tactics.Typeclasses.solve - seed - in - let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 - #FStar.Tactics.Typeclasses.solve - state - in - let state:v_Shake256 = tmp0 in - let randomness:t_Array u8 (sz 136) = out in - let signs:u64 = - Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) - <: - t_Array u8 (sz 8)) + let _:Prims.unit = + if true + then + let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in + () in - let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in - let out_index:usize = - (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! number_of_ones + let seed0:t_Array u8 (sz 34) = + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy start_index columns <: (u8 & u8)) in - let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = - inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - out_index - signs - result + let seed1:t_Array u8 (sz 34) = + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 1 <: usize) columns <: (u8 & u8)) in - let out_index:usize = tmp0 in - let signs:u64 = tmp1 in - let result:t_Array i32 (sz 256) = tmp2 in - let done:bool = out in - let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) - = - Rust_primitives.f_while_loop (fun temp_0_ -> - let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & - v_Shake256) = - temp_0_ - in - ~.done <: bool) - (done, out_index, result, signs, state - <: - (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) - (fun temp_0_ -> - let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & - v_Shake256) = - temp_0_ - in - let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 - #FStar.Tactics.Typeclasses.solve - state - in - let state:v_Shake256 = tmp0 in - let randomness:t_Array u8 (sz 136) = out in - let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = - inside_out_shuffle (randomness <: t_Slice u8) out_index signs result - in - let out_index:usize = tmp0 in - let signs:u64 = tmp1 in - let result:t_Array i32 (sz 256) = tmp2 in - let done:bool = out in - done, out_index, result, signs, state - <: - (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + let seed2:t_Array u8 (sz 34) = + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 2 <: usize) columns <: (u8 & u8)) in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) re + let seed3:t_Array u8 (sz 34) = + add_domain_separator seed + (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 3 <: usize) columns <: (u8 & u8)) in - re - -let sample_four_error_ring_elements - (#v_SIMDUnit #v_Shake256: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (seed: t_Slice u8) - (start_index: u16) - (re: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - = - let seed0:t_Array u8 (sz 66) = add_error_domain_separator seed start_index in - let seed1:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 1us <: u16) in - let seed2:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 2us <: u16) in - let seed3:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 3us <: u16) in - let state:v_Shake256 = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256 + let state:v_Shake128 = + Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 #FStar.Tactics.Typeclasses.solve (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) in - let tmp0, out1:(v_Shake256 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256 + let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 #FStar.Tactics.Typeclasses.solve state + rand_stack0 + rand_stack1 + rand_stack2 + rand_stack3 in - let state:v_Shake256 = tmp0 in - let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - out1 - in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 263) <: t_Array i32 (sz 263)) - (sz 4) - in + let state:v_Shake128 = tmp0 in + let rand_stack0:t_Array u8 (sz 840) = tmp1 in + let rand_stack1:t_Array u8 (sz 840) = tmp2 in + let rand_stack2:t_Array u8 (sz 840) = tmp3 in + let rand_stack3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in let sampled0:usize = sz 0 in let sampled1:usize = sz 0 in let sampled2:usize = sz 0 in let sampled3:usize = sz 0 in - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta - (randomnesses._1 <: t_Slice u8) + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack0 <: t_Slice u8) sampled0 - (out.[ sz 0 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263)) in let sampled0:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1 in - let done0:bool = out1 in - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta - (randomnesses._2 <: t_Slice u8) + let done0:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack1 <: t_Slice u8) sampled1 - (out.[ sz 1 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263)) in let sampled1:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1 in - let done1:bool = out1 in - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta - (randomnesses._3 <: t_Slice u8) + let done1:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack2 <: t_Slice u8) sampled2 - (out.[ sz 2 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263)) in let sampled2:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1 in - let done2:bool = out1 in - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta - (randomnesses._4 <: t_Slice u8) + let done2:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (rand_stack3 <: t_Slice u8) sampled3 - (out.[ sz 3 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263)) in let sampled3:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1 in - let done3:bool = out1 in - let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & bool & + let done3:bool = out in + let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & + bool & bool & bool & - t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & - v_Shake256) = + v_Shake128 & + t_Slice (t_Array i32 (sz 263))) = Rust_primitives.f_while_loop (fun temp_0_ -> - let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & + let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & bool & bool & bool & - t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & - v_Shake256) = + v_Shake128 & + t_Slice (t_Array i32 (sz 263))) = temp_0_ in (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) - (done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state + (done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack <: - (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & - usize & - v_Shake256)) + (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & + t_Slice (t_Array i32 (sz 263)))) (fun temp_0_ -> - let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & + let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & bool & bool & bool & - t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & usize & - v_Shake256) = + v_Shake128 & + t_Slice (t_Array i32 (sz 263))) = temp_0_ in - let tmp0, out1:(v_Shake256 & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + let tmp0, out:(v_Shake128 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256 + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 #FStar.Tactics.Typeclasses.solve state in - let state:v_Shake256 = tmp0 in - let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - out1 + let state:v_Shake128 = tmp0 in + let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out in - let done0, out, sampled0:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = + let done0, sampled0, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = if ~.done0 then - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._1 <: t_Slice u8) sampled0 - (out.[ sz 0 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263)) in let sampled0:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1 in - let done0:bool = out1 in - done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) - else done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + let done0:bool = out in + done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + else done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) in - let done1, out, sampled1:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = + let done1, sampled1, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = if ~.done1 then - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._2 <: t_Slice u8) sampled1 - (out.[ sz 1 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263)) in let sampled1:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1 in - let done1:bool = out1 in - done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) - else done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + let done1:bool = out in + done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + else done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) in - let done2, out, sampled2:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = + let done2, sampled2, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = if ~.done2 then - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._3 <: t_Slice u8) sampled2 - (out.[ sz 2 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263)) in let sampled2:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1 in - let done2:bool = out1 in - done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) - else done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + let done2:bool = out in + done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) + else done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) in if ~.done3 then - let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_eta #v_SIMDUnit - eta + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._4 <: t_Slice u8) sampled3 - (out.[ sz 3 ] <: t_Array i32 (sz 263)) + (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263)) in let sampled3:usize = tmp0 in - let out:t_Array (t_Array i32 (sz 263)) (sz 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1 + let tmp_stack:t_Slice (t_Array i32 (sz 263)) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1 in - let done3:bool = out1 in - done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state + let done3:bool = out in + done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack <: - (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & - usize & - usize & - v_Shake256) + (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & + t_Slice (t_Array i32 (sz 263))) else - done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state + done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack <: - (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & - usize & - usize & - v_Shake256)) - in - let max:usize = (cast (start_index <: u16) <: usize) +! sz 4 in - let max:usize = - if - (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re - <: - usize) <. - max - then Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re - else max + (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & + t_Slice (t_Array i32 (sz 263)))) in - let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (cast (start_index <: u16) <: usize) - max - (fun re temp_1_ -> - let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + elements_requested + (fun matrix temp_1_ -> + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + matrix + in let _:usize = temp_1_ in true) - re - (fun re i -> - let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - i + matrix + (fun matrix k -> + let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + matrix + in + let k:usize = k in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize matrix + (start_index +! k <: usize) (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit - (out.[ i %! sz 4 <: usize ] <: t_Slice i32) - (re.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (tmp_stack.[ k ] <: t_Slice i32) + (matrix.[ start_index +! k <: usize ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) in - re + matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack + <: + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Slice (t_Array i32 (sz 263))) -let sample_mask_ring_element - (#v_SIMDUnit #v_Shake256: Type0) +let rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (seed: t_Array u8 (sz 66)) - (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - (gamma1_exponent: usize) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) = - let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - match cast (gamma1_exponent <: usize) <: u8 with - | 17uy -> - let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in - let out:t_Array u8 (sz 576) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 - #FStar.Tactics.Typeclasses.solve - (sz 576) - (seed <: t_Slice u8) - out - in - let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - gamma1_exponent - (out <: t_Slice u8) - result - in - result - | 19uy -> - let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in - let out:t_Array u8 (sz 640) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact + u8) #FStar.Tactics.Typeclasses.solve - (sz 640) - (seed <: t_Slice u8) - out - in - let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit - gamma1_exponent - (out <: t_Slice u8) - result - in - result - | _ -> result + (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) + <: + Core.Slice.Iter.t_ChunksExact u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) in - result + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) -let sample_mask_vector - (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) +let rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (dimension gamma1_exponent: usize) - (seed: t_Array u8 (sz 64)) - (domain_separator: u16) - (mask: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((dimension =. sz 4 <: bool) || (dimension =. sz 5 <: bool) || - (dimension =. sz 7 <: bool)) - in - () - in - let seed0:t_Array u8 (sz 66) = add_error_domain_separator (seed <: t_Slice u8) domain_separator in - let seed1:t_Array u8 (sz 66) = - add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 1us <: u16) - in - let seed2:t_Array u8 (sz 66) = - add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 2us <: u16) - in - let seed3:t_Array u8 (sz 66) = - add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 3us <: u16) - in + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) + <: + Core.Slice.Iter.t_ChunksExact u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + = + let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | Libcrux_ml_dsa.Constants.Eta_Four -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + in + sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (seed: t_Slice u8) + (start_index: u16) + (re: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let seed0:t_Array u8 (sz 66) = add_error_domain_separator seed start_index in + let seed1:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 1us <: u16) in + let seed2:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 2us <: u16) in + let seed3:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 3us <: u16) in + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let tmp0, out1:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out1 + in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 263) <: t_Array i32 (sz 263)) + (sz 4) + in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._1 <: t_Slice u8) + sampled0 + (out.[ sz 0 ] <: t_Array i32 (sz 263)) + in + let sampled0:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1 + in + let done0:bool = out1 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._2 <: t_Slice u8) + sampled1 + (out.[ sz 1 ] <: t_Array i32 (sz 263)) + in + let sampled1:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1 + in + let done1:bool = out1 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._3 <: t_Slice u8) + sampled2 + (out.[ sz 2 ] <: t_Array i32 (sz 263)) + in + let sampled2:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1 + in + let done2:bool = out1 in + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._4 <: t_Slice u8) + sampled3 + (out.[ sz 3 ] <: t_Array i32 (sz 263)) + in + let sampled3:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1 + in + let done3:bool = out1 in + let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & bool & + bool & + bool & + t_Array (t_Array i32 (sz 263)) (sz 4) & + usize & + usize & + usize & + usize & + v_Shake256) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & + bool & + bool & + bool & + t_Array (t_Array i32 (sz 263)) (sz 4) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state + <: + (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize & + usize & + v_Shake256)) + (fun temp_0_ -> + let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & + bool & + bool & + bool & + t_Array (t_Array i32 (sz 263)) (sz 4) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + let tmp0, out1:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out1 + in + let done0, out, sampled0:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = + if ~.done0 + then + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._1 <: t_Slice u8) + sampled0 + (out.[ sz 0 ] <: t_Array i32 (sz 263)) + in + let sampled0:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1 + in + let done0:bool = out1 in + done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + else done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + in + let done1, out, sampled1:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = + if ~.done1 + then + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._2 <: t_Slice u8) + sampled1 + (out.[ sz 1 ] <: t_Array i32 (sz 263)) + in + let sampled1:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1 + in + let done1:bool = out1 in + done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + else done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + in + let done2, out, sampled2:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) = + if ~.done2 + then + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._3 <: t_Slice u8) + sampled2 + (out.[ sz 2 ] <: t_Array i32 (sz 263)) + in + let sampled2:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1 + in + let done2:bool = out1 in + done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + else done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) + in + if ~.done3 + then + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + eta + (randomnesses._4 <: t_Slice u8) + sampled3 + (out.[ sz 3 ] <: t_Array i32 (sz 263)) + in + let sampled3:usize = tmp0 in + let out:t_Array (t_Array i32 (sz 263)) (sz 4) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1 + in + let done3:bool = out1 in + done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state + <: + (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & + usize & + usize & + v_Shake256) + else + done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state + <: + (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & + usize & + usize & + v_Shake256)) + in + let max:usize = (cast (start_index <: u16) <: usize) +! sz 4 in + let max:usize = + if + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re + <: + usize) <. + max + then Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re + else max + in + let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (cast (start_index <: u16) <: usize) + max + (fun re temp_1_ -> + let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + i + (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit + (out.[ i %! sz 4 <: usize ] <: t_Slice i32) + (re.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + re + +let sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (seed: t_Array u8 (sz 66)) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (gamma1_exponent: usize) + = + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + match cast (gamma1_exponent <: usize) <: u8 with + | 17uy -> + let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out:t_Array u8 (sz 576) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 576) + (seed <: t_Slice u8) + out + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + gamma1_exponent + (out <: t_Slice u8) + result + in + result + | 19uy -> + let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out:t_Array u8 (sz 640) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 640) + (seed <: t_Slice u8) + out + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + gamma1_exponent + (out <: t_Slice u8) + result + in + result + | _ -> result + in + result + +let sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (dimension gamma1_exponent: usize) + (seed: t_Array u8 (sz 64)) + (domain_separator: u16) + (mask: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((dimension =. sz 4 <: bool) || (dimension =. sz 5 <: bool) || + (dimension =. sz 7 <: bool)) + in + () + in + let seed0:t_Array u8 (sz 66) = add_error_domain_separator (seed <: t_Slice u8) domain_separator in + let seed1:t_Array u8 (sz 66) = + add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 1us <: u16) + in + let seed2:t_Array u8 (sz 66) = + add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 2us <: u16) + in + let seed3:t_Array u8 (sz 66) = + add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 3us <: u16) + in let domain_separator:u16 = domain_separator +! 4us in let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = match cast (gamma1_exponent <: usize) <: u8 with @@ -922,283 +1097,108 @@ let sample_mask_vector gamma1_exponent <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - in - domain_separator, mask - <: - (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) - in - domain_separator, mask - <: - (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - -let sample_up_to_four_ring_elements_flat - (#v_SIMDUnit #v_Shake128: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (columns: usize) - (seed: t_Slice u8) - (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) - (tmp_stack: t_Slice (t_Array i32 (sz 263))) - (start_index elements_requested: usize) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in - () - in - let seed0:t_Array u8 (sz 34) = - add_domain_separator seed - (sample_up_to_four_ring_elements_flat__xy start_index columns <: (u8 & u8)) - in - let seed1:t_Array u8 (sz 34) = - add_domain_separator seed - (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 1 <: usize) columns <: (u8 & u8)) - in - let seed2:t_Array u8 (sz 34) = - add_domain_separator seed - (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 2 <: usize) columns <: (u8 & u8)) - in - let seed3:t_Array u8 (sz 34) = - add_domain_separator seed - (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 3 <: usize) columns <: (u8 & u8)) - in - let state:v_Shake128 = - Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 - #FStar.Tactics.Typeclasses.solve - (seed0 <: t_Slice u8) - (seed1 <: t_Slice u8) - (seed2 <: t_Slice u8) - (seed3 <: t_Slice u8) - in - let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 - #FStar.Tactics.Typeclasses.solve - state - rand_stack0 - rand_stack1 - rand_stack2 - rand_stack3 - in - let state:v_Shake128 = tmp0 in - let rand_stack0:t_Array u8 (sz 840) = tmp1 in - let rand_stack1:t_Array u8 (sz 840) = tmp2 in - let rand_stack2:t_Array u8 (sz 840) = tmp3 in - let rand_stack3:t_Array u8 (sz 840) = tmp4 in - let _:Prims.unit = () in - let sampled0:usize = sz 0 in - let sampled1:usize = sz 0 in - let sampled2:usize = sz 0 in - let sampled3:usize = sz 0 in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (rand_stack0 <: t_Slice u8) - sampled0 - (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263)) - in - let sampled0:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1 - in - let done0:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (rand_stack1 <: t_Slice u8) - sampled1 - (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263)) + in + domain_separator, mask + <: + (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))) in - let sampled1:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1 + domain_separator, mask + <: + (u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + +let sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (seed: t_Slice u8) + (number_of_ones: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256 + #FStar.Tactics.Typeclasses.solve + seed in - let done1:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (rand_stack2 <: t_Slice u8) - sampled2 - (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263)) + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state in - let sampled2:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1 + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let signs:u64 = + Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) + <: + t_Array u8 (sz 8)) in - let done2:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (rand_stack3 <: t_Slice u8) - sampled3 - (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263)) + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let out_index:usize = + (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! number_of_ones in - let sampled3:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1 + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + out_index + signs + result in - let done3:bool = out in - let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - v_Shake128 & - t_Slice (t_Array i32 (sz 263))) = + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) + = Rust_primitives.f_while_loop (fun temp_0_ -> - let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - v_Shake128 & - t_Slice (t_Array i32 (sz 263))) = + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = temp_0_ in - (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) - (done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack + ~.done <: bool) + (done, out_index, result, signs, state <: - (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & - t_Slice (t_Array i32 (sz 263)))) + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) (fun temp_0_ -> - let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool & - bool & - bool & - bool & - usize & - usize & - usize & - usize & - v_Shake128 & - t_Slice (t_Array i32 (sz 263))) = + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = temp_0_ in - let tmp0, out:(v_Shake128 & - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) - = - Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 #FStar.Tactics.Typeclasses.solve state in - let state:v_Shake128 = tmp0 in - let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & - t_Array u8 (sz 168)) = - out - in - let done0, sampled0, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = - if ~.done0 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._1 <: t_Slice u8) - sampled0 - (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263)) - in - let sampled0:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1 - in - let done0:bool = out in - done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) - else done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) - in - let done1, sampled1, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = - if ~.done1 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._2 <: t_Slice u8) - sampled1 - (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263)) - in - let sampled1:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1 - in - let done1:bool = out in - done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) - else done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) - in - let done2, sampled2, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) = - if ~.done2 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._3 <: t_Slice u8) - sampled2 - (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263)) - in - let sampled2:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1 - in - let done2:bool = out in - done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) - else done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263))) - in - if ~.done3 - then - let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = - rejection_sample_less_than_field_modulus #v_SIMDUnit - (randomnesses._4 <: t_Slice u8) - sampled3 - (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263)) - in - let sampled3:usize = tmp0 in - let tmp_stack:t_Slice (t_Array i32 (sz 263)) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1 - in - let done3:bool = out in - done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack - <: - (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & - t_Slice (t_Array i32 (sz 263))) - else - done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack - <: - (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 & - t_Slice (t_Array i32 (sz 263)))) - in - let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - elements_requested - (fun matrix temp_1_ -> - let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - matrix - in - let _:usize = temp_1_ in - true) - matrix - (fun matrix k -> - let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - matrix + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness <: t_Slice u8) out_index signs result in - let k:usize = k in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize matrix - (start_index +! k <: usize) - (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit - (tmp_stack.[ k ] <: t_Slice i32) - (matrix.[ start_index +! k <: usize ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + done, out_index, result, signs, state <: - t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) in - matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack - <: - (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Slice (t_Array i32 (sz 263))) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) re + in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 7991fde68..3c91314ac 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -13,10 +13,23 @@ let _ = val generate_domain_separator: (u8 & u8) -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) +val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) + : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True) + val sample_up_to_four_ring_elements_flat__xy (index width: usize) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val rejection_sample_less_than_eta_equals_2_ +val add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) + : Prims.Pure (t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) + +val inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (randomness: t_Slice u8) @@ -24,7 +37,31 @@ val rejection_sample_less_than_eta_equals_2_ (out: t_Array i32 (sz 263)) : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) -val rejection_sample_less_than_eta_equals_4_ +/// Sample and write out up to four ring elements. +/// If i <= `elements_requested`, a field element with domain separated +/// seed according to the provided index is generated in +/// `tmp_stack[i]`. After successful rejection sampling in +/// `tmp_stack[i]`, the ring element is written to `matrix` at the +/// provided index in `indices[i]`. +/// `rand_stack` is a working buffer that holds initial Shake output. +val sample_up_to_four_ring_elements_flat + (#v_SIMDUnit #v_Shake128: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} + (columns: usize) + (seed: t_Slice u8) + (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) + (tmp_stack: t_Slice (t_Array i32 (sz 263))) + (start_index elements_requested: usize) + : Prims.Pure + (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Slice (t_Array i32 (sz 263))) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (randomness: t_Slice u8) @@ -32,47 +69,23 @@ val rejection_sample_less_than_eta_equals_4_ (out: t_Array i32 (sz 263)) : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) -val rejection_sample_less_than_eta +val rejection_sample_less_than_eta_equals_4_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (eta: Libcrux_ml_dsa.Constants.t_Eta) (randomness: t_Slice u8) - (sampled: usize) + (sampled_coefficients: usize) (out: t_Array i32 (sz 263)) : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) -val rejection_sample_less_than_field_modulus +val rejection_sample_less_than_eta (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (eta: Libcrux_ml_dsa.Constants.t_Eta) (randomness: t_Slice u8) - (sampled_coefficients: usize) + (sampled: usize) (out: t_Array i32 (sz 263)) : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) -val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8)) - : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True) - -val add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) - : Prims.Pure (t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) - -val inside_out_shuffle - (randomness: t_Slice u8) - (out_index: usize) - (signs: u64) - (result: t_Array i32 (sz 256)) - : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) - -val sample_challenge_ring_element - (#v_SIMDUnit #v_Shake256: Type0) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - (seed: t_Slice u8) - (number_of_ones: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - val sample_four_error_ring_elements (#v_SIMDUnit #v_Shake256: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -109,26 +122,13 @@ val sample_mask_vector Prims.l_True (fun _ -> Prims.l_True) -/// Sample and write out up to four ring elements. -/// If i <= `elements_requested`, a field element with domain separated -/// seed according to the provided index is generated in -/// `tmp_stack[i]`. After successful rejection sampling in -/// `tmp_stack[i]`, the ring element is written to `matrix` at the -/// provided index in `indices[i]`. -/// `rand_stack` is a working buffer that holds initial Shake output. -val sample_up_to_four_ring_elements_flat - (#v_SIMDUnit #v_Shake128: Type0) +val sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (columns: usize) + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} (seed: t_Slice u8) - (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) - (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840)) - (tmp_stack: t_Slice (t_Array i32 (sz 263))) - (start_index elements_requested: usize) - : Prims.Pure - (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & - t_Slice (t_Array i32 (sz 263))) Prims.l_True (fun _ -> Prims.l_True) + (number_of_ones: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index 1385acbb6..99e6eb6ee 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -9,6 +9,27 @@ let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in lhs +let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs + in + lhs + +let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) = + let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit + in + let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) + in + let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound + in + let result:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound + in + result <>. 1l + let compute_hint (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) (gamma2: i32) @@ -52,26 +73,21 @@ let compute_hint let hax_temp_output:usize = cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize in hint, hax_temp_output <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize) -let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) = - let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit - in - let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) - in - let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound +let to_unsigned_representatives_ret (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l t in - let result:i32 = - Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound + let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 signs + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) in - result <>. 1l + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 t conditional_add_field_modulus -let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs - in - lhs +let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives_ret t in + t let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -97,22 +113,6 @@ let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2 in simd_unit -let to_unsigned_representatives_ret (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l t - in - let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 signs - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 t conditional_add_field_modulus - -let to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives_ret t in - t - let power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r0 in let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -138,106 +138,6 @@ let power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) -let montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - in - let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - <: - u64) - <: - i32) - in - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - lhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus - in - let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus - in - let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 - in - let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 - in - let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 - in - lhs - -let montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) = - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 constant - in - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - in - let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - <: - u64) - <: - i32) - in - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - lhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus - in - let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus - in - let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 - in - let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 - in - let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 - in - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 - let decompose (gamma2: i32) (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives_ret r in let ceil_of_r_by_128_:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -411,3 +311,103 @@ let use_hint (gamma2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) in hint + +let montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) = + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 constant + in + let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) + in + let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs + in + let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + lhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus + in + let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus + in + let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 + in + let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 + in + let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 + in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 + +let montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) + in + let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs + in + let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + lhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus + in + let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus + in + let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 + in + let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 + in + let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 + in + lhs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti index c5dcffb2e..b8aeefa6f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -6,6 +6,12 @@ open FStar.Mul val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val compute_hint (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) (gamma2: i32) @@ -14,33 +20,21 @@ val compute_hint Prims.l_True (fun _ -> Prims.l_True) -val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val to_unsigned_representatives_ret (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val decompose (gamma2: i32) (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -49,3 +43,9 @@ val decompose (gamma2: i32) (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) val use_hint (gamma2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst index e64d2efe3..9d33278d4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -3,97 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error open Core open FStar.Mul -let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool) - in - () - in - let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32) - (cast (bytes.[ sz 2 ] <: u8) <: i32) - (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized - | Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_to_unsigned_when_eta_is_4_ serialized - -let deserialize - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = deserialize_to_unsigned eta serialized in - let eta:i32 = - match eta <: Libcrux_ml_dsa.Constants.t_Eta with - | Libcrux_ml_dsa.Constants.Eta_Two -> 2l - | Libcrux_ml_dsa.Constants.Eta_Four -> 4l - in - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 - eta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - unsigned - in - out - let serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = @@ -246,3 +155,94 @@ let serialize | Libcrux_ml_dsa.Constants.Eta_Four -> serialize_when_eta_is_4_ simd_unit serialized in serialized + +let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool) + in + () + in + let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32) + (cast (bytes.[ sz 2 ] <: u8) <: i32) + (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized + | Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_to_unsigned_when_eta_is_4_ serialized + +let deserialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = deserialize_to_unsigned eta serialized in + let eta:i32 = + match eta <: Libcrux_ml_dsa.Constants.t_Eta with + | Libcrux_ml_dsa.Constants.Eta_Two -> 2l + | Libcrux_ml_dsa.Constants.Eta_Four -> 4l + in + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + eta + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + unsigned + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti index b88141b5b..7cabc3562 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -3,17 +3,29 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error open Core open FStar.Mul -let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + let serialize_when_eta_is_4___ETA: i32 = 4l +val serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True) +let deserialize_to_unsigned_when_eta_is_4___COEFFICIENT_MASK: i32 = (1l < Prims.l_True) @@ -25,15 +37,3 @@ val deserialize (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst index 4e1d65188..cc642fd12 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -3,147 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17_ - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) - in - () - in - let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 2; - Core.Ops.Range.f_end = sz 18 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y - 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK - - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 - deserialize_when_gamma1_is_2_pow_17___GAMMA1 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - coefficients - in - out - -let deserialize_when_gamma1_is_2_pow_19_ - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool) - in - () - in - let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 4; - Core.Ops.Range.f_end = sz 20 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y - 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK - - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 - deserialize_when_gamma1_is_2_pow_19___GAMMA1 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - coefficients - in - out - -let deserialize - (serialized: t_Slice u8) - (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (gamma1_exponent: usize) - = - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - match cast (gamma1_exponent <: usize) <: u8 with - | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized out - | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized out - | _ -> out - in - out - let serialize_when_gamma1_is_2_pow_17_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) @@ -323,3 +182,144 @@ let serialize | _ -> serialized in serialized + +let deserialize_when_gamma1_is_2_pow_17_ + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 2; + Core.Ops.Range.f_end = sz 18 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y + 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + deserialize_when_gamma1_is_2_pow_17___GAMMA1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + in + out + +let deserialize_when_gamma1_is_2_pow_19_ + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool) + in + () + in + let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 20 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y + 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + deserialize_when_gamma1_is_2_pow_19___GAMMA1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + in + out + +let deserialize + (serialized: t_Slice u8) + (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (gamma1_exponent: usize) + = + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + match cast (gamma1_exponent <: usize) <: u8 with + | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized out + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized out + | _ -> out + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti index 2eef37a40..5ed6a3299 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -3,25 +3,41 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) -let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True) -let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) -let serialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True) +let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True) - -val serialize_when_gamma1_is_2_pow_17_ - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_gamma1_is_2_pow_19_ - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (out: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst index 2a5d26958..d0ae2d410 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -12,61 +12,6 @@ let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 interval_end simd_unit -let deserialize (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - match Core.Slice.impl__len #u8 serialized, sz 13 <: (usize & usize) with - | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) - in - () - in - let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let serialized_extended:t_Array u8 (sz 16) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - serialized - <: - t_Slice u8) - in - let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8) - in - let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y) - (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y - 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval coefficients in - out - let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval simd_unit in @@ -125,3 +70,58 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slic t_Slice u8) in out + +let deserialize (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 serialized, sz 13 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let serialized_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y) + (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y + 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval coefficients in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti index bc8592ab5..6b69d7c41 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti @@ -6,10 +6,10 @@ open FStar.Mul val change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) - -val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti index e47831a31..9e8db82fb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -3,10 +3,10 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 open Core open FStar.Mul -let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst index b51dbfe26..456c7bb71 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst @@ -68,6 +68,105 @@ let simd_unit_invert_ntt_at_layer_0_ <: (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) +let simd_unit_invert_ntt_at_layer_1_ + (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta00 zeta01 zeta10 zeta11: i32) + = + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 simd_unit0 simd_unit1 + in + let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1 + in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values + in + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values + in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta11 + zeta11 + zeta01 + zeta01 + zeta10 + zeta10 + zeta00 + zeta00 + in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas + in + let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + a, b + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + +let simd_unit_invert_ntt_at_layer_2_ + (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1: i32) + = + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l simd_unit0 simd_unit1 + in + let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l simd_unit0 simd_unit1 + in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values + in + let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values + in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 + in + let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas + in + let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = + { + Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value + = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences + } + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + in + a, b + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) + let invert_ntt_at_layer_0___round (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) @@ -157,59 +256,6 @@ let invert_ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V in re -let simd_unit_invert_ntt_at_layer_1_ - (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta00 zeta01 zeta10 zeta11: i32) - = - let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 simd_unit0 simd_unit1 - in - let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1 - in - let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in - let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values - in - let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values - in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta11 - zeta11 - zeta01 - zeta01 - zeta10 - zeta10 - zeta00 - zeta00 - in - let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas - in - let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = - { - Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value - = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences - } - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - in - let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = - { - Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value - = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences - } - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - in - a, b - <: - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) - let invert_ntt_at_layer_1___round (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) @@ -286,52 +332,6 @@ let invert_ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V in re -let simd_unit_invert_ntt_at_layer_2_ - (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1: i32) - = - let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l simd_unit0 simd_unit1 - in - let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l simd_unit0 simd_unit1 - in - let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in - let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values - in - let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values - in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 - in - let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas - in - let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = - { - Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value - = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences - } - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - in - let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 = - { - Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value - = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences - } - <: - Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - in - a, b - <: - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) - let invert_ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti index 0903ff088..1a8aab701 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti @@ -3,6 +3,10 @@ module Libcrux_ml_dsa.Simd.Avx2.Invntt open Core open FStar.Mul +let invert_ntt_montgomery__inv_inner__FACTOR: i32 = 41978l + +let simd_unit_invert_ntt_at_layer_0___SHUFFLE: i32 = 216l + let invert_ntt_at_layer_3___STEP: usize = sz 8 let invert_ntt_at_layer_3___STEP_BY: usize = sz 1 @@ -23,10 +27,6 @@ let invert_ntt_at_layer_7___STEP: usize = sz 128 let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 -let invert_ntt_montgomery__inv_inner__FACTOR: i32 = 41978l - -let simd_unit_invert_ntt_at_layer_0___SHUFFLE: i32 = 216l - val simd_unit_invert_ntt_at_layer_0_ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32) @@ -34,6 +34,20 @@ val simd_unit_invert_ntt_at_layer_0_ (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 ) Prims.l_True (fun _ -> Prims.l_True) +val simd_unit_invert_ntt_at_layer_1_ + (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta00 zeta01 zeta10 zeta11: i32) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_invert_ntt_at_layer_2_ + (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1: i32) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 + ) Prims.l_True (fun _ -> Prims.l_True) + val invert_ntt_at_layer_0___round (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) @@ -47,13 +61,6 @@ val invert_ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V Prims.l_True (fun _ -> Prims.l_True) -val simd_unit_invert_ntt_at_layer_1_ - (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta00 zeta01 zeta10 zeta11: i32) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - ) Prims.l_True (fun _ -> Prims.l_True) - val invert_ntt_at_layer_1___round (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) @@ -67,13 +74,6 @@ val invert_ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V Prims.l_True (fun _ -> Prims.l_True) -val simd_unit_invert_ntt_at_layer_2_ - (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1: i32) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 - ) Prims.l_True (fun _ -> Prims.l_True) - val invert_ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) (index: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index 02c44d807..deb938edd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -21,6 +21,12 @@ val ntt_at_layer_7_and_6___mul Prims.l_True (fun _ -> Prims.l_True) +let ntt_at_layer_7_and_6___STEP_BY_7_: usize = + sz 2 *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + +let ntt_at_layer_7_and_6___STEP_BY_6_: usize = + (sz 1 < Prims.l_True) + +val generate_shuffle_table: Prims.unit + -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True) + let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) = let list = [ @@ -132,9 +138,3 @@ let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) = in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list - -val is_bit_set (number: usize) (bit_position: u8) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val generate_shuffle_table: Prims.unit - -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst index cb7d7a4f1..4c64e4ac1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -3,21 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type open Core open FStar.Mul -let from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) = - let out:t_Vec256 = - { out with f_value = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array } - <: - t_Vec256 - in - out - -let to_coefficient_array (value: t_Vec256) (out: t_Slice i32) = - let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value.f_value in - out - -let zero (_: Prims.unit) = - { f_value = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_Vec256 - [@@ FStar.Tactics.Typeclasses.tcinstance] assume val impl': Core.Clone.t_Clone t_Vec256 @@ -29,3 +14,18 @@ assume val impl_1': Core.Marker.t_Copy t_Vec256 let impl_1 = impl_1' + +let zero (_: Prims.unit) = + { f_value = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_Vec256 + +let from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) = + let out:t_Vec256 = + { out with f_value = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array } + <: + t_Vec256 + in + out + +let to_coefficient_array (value: t_Vec256) (out: t_Slice i32) = + let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value.f_value in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti index 6d962b8d6..6c2f727dc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -6,6 +6,15 @@ open FStar.Mul /// The vector type type t_Vec256 = { f_value:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Core.Clone.t_Clone t_Vec256 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Core.Marker.t_Copy t_Vec256 + +/// Create an all-zero vector coefficient +val zero: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + /// Create a coefficient from an `i32` array val from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -13,12 +22,3 @@ val from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) /// Write out the coefficient to an `i32` array val to_coefficient_array (value: t_Vec256) (out: t_Slice i32) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) - -/// Create an all-zero vector coefficient -val zero: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Clone.t_Clone t_Vec256 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Marker.t_Copy t_Vec256 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index 1564e438b..abc212b13 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -3,6 +3,8 @@ module Libcrux_ml_dsa.Simd.Portable.Arithmetic open Core open FStar.Mul +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <. gamma2 || low <. (Core.Ops.Arith.Neg.neg gamma2 <: i32) || @@ -10,117 +12,41 @@ let compute_one_hint (low high gamma2: i32) = then 1l else 0l -let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in - fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - -let montgomery_reduce_element (value: i64) = - let t:u64 = - (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! - Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - in - let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in - let k_times_modulus:i64 = - (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) - in - let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in - let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in - value_high -! c - -let montgomery_multiply_fe_by_fer (fe fer: i32) = - montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) - -let decompose_element (gamma2 r: i32) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((r >. - (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - in - () - in - let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in - let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in - let r1:i32 = - match gamma2 <: i32 with - | 95232l -> - let result:i32 = - ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l - in - (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result - | 261888l -> - let result:i32 = - ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l - in - result &. 15l - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let alpha:i32 = gamma2 *! 2l in - let r0:i32 = r -! (r1 *! alpha <: i32) in - let r0:i32 = - r0 -! - (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! - 31l +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) <: - i32) &. - Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - <: - i32) - in - r0, r1 <: (i32 & i32) - -let power2round_element (t: i32) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((t >. - (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - in - () - in - let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in - let t1:i32 = - ((t -! 1l <: i32) +! - (1l <>! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - in - let t0:i32 = t -! (t1 < - if r0 >. 0l - then if r1 =. 43l then 0l else r1 +! hint - else if r1 =. 0l then 43l else r1 -! hint - | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - + usize) + (fun lhs temp_1_ -> + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in + let _:usize = temp_1_ in + true) + lhs + (fun lhs i -> + let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in + let i:usize = i in + { + lhs with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } <: - Rust_primitives.Hax.t_Never) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + lhs -let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = +let subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #i32 @@ -142,7 +68,7 @@ let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) +! + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) -! (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) <: i32) @@ -209,44 +135,64 @@ let compute_hint let hax_temp_output:usize = one_hints_count in hint, hax_temp_output <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) -let decompose - (gamma2: i32) - (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - = - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & +let power2round_element (t: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((t >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let t1:i32 = + ((t -! 1l <: i32) +! + (1l <>! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + in + let t0:i32 = t -! (t1 < - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = temp_0_ in let _:usize = temp_1_ in true) - (high, low + (t0, t1 <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) (fun temp_0_ i -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = temp_0_ in let i:usize = i in let lhs, lhs_1_:(i32 & i32) = - decompose_element gamma2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + power2round_element (t0.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) in - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + let t0:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = { - low with + t0 with Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i lhs @@ -254,12 +200,12 @@ let decompose <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + let t1:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = { - high with + t1 with Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i lhs_1_ @@ -267,12 +213,12 @@ let decompose <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - high, low + t0, t1 <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) in - low, high + t0, t1 <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -316,52 +262,13 @@ let infinity_norm_exceeds in result -let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = - let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) - <: - usize) - (fun lhs temp_1_ -> - let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in - let _:usize = temp_1_ in - true) - lhs - (fun lhs i -> - let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in - let i:usize = i in - { - lhs with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values - i - (montgomery_reduce_element ((cast (lhs - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] - <: - i32) - <: - i64) *! - (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) - <: - i64) - <: - i64) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - in - lhs +let reduce_element (fe: i32) = + let quotient:i32 = (fe +! (1l <>! 23l in + fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) -let montgomery_multiply_by_constant +let shift_left_then_reduce + (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (c: i32) = let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -384,15 +291,12 @@ let montgomery_multiply_by_constant Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i - (montgomery_reduce_element ((cast (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] - <: - i32) + (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: - i64) *! - (cast (c <: i32) <: i64) + i32) <. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in + let r1:i32 = + match gamma2 <: i32 with + | 95232l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l + in + (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result + | 261888l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l + in + result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let alpha:i32 = gamma2 *! 2l in + let r0:i32 = r -! (r1 *! alpha <: i32) in + let r0:i32 = + r0 -! + (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! + 31l + <: + i32) &. + Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + i32) + in + r0, r1 <: (i32 & i32) + +let use_one_hint (gamma2 r hint: i32) = + let r0, r1:(i32 & i32) = decompose_element gamma2 r in + if hint =. 0l + then r1 + else + match gamma2 <: i32 with + | 95232l -> + if r0 >. 0l + then if r1 =. 43l then 0l else r1 +! hint + else if r1 =. 0l then 43l else r1 -! hint + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let decompose + (gamma2: i32) + (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + = + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #i32 - (t0.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) <: usize) (fun temp_0_ temp_1_ -> - let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = temp_0_ in let _:usize = temp_1_ in true) - (t0, t1 + (high, low <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) (fun temp_0_ i -> - let t0, t1:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = temp_0_ in let i:usize = i in let lhs, lhs_1_:(i32 & i32) = - power2round_element (t0.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + decompose_element gamma2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) in - let t0:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = { - t0 with + low with Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i lhs @@ -444,12 +416,12 @@ let power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - let t1:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = { - t1 with + high with Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i lhs_1_ @@ -457,19 +429,70 @@ let power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in - t0, t1 + high, low <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)) in - t0, t1 + low, high <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) -let shift_left_then_reduce - (v_SHIFT_BY: i32) +let use_hint (gamma2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + <: + usize) + (fun hint temp_1_ -> + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = hint in + let _:usize = temp_1_ in + true) + hint + (fun hint i -> + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = hint in + let i:usize = i in + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values + i + (use_one_hint gamma2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + hint + +let montgomery_reduce_element (value: i64) = + let t:u64 = + (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! + Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + in + let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in + let k_times_modulus:i64 = + (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) + in + let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + value_high -! c + +let montgomery_multiply_fe_by_fer (fe fer: i32) = + montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) + +let montgomery_multiply_by_constant (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (c: i32) = let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -492,12 +515,15 @@ let shift_left_then_reduce Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values i - (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] + <: + i32) <: - i32) < - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = hint in - let _:usize = temp_1_ in - true) - hint - (fun hint i -> - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = hint in - let i:usize = i in - { - hint with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values - i - (use_one_hint gamma2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - in - hint diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti index afb9b56a4..72abdc89a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -5,29 +5,21 @@ open FStar.Mul let v_MONTGOMERY_SHIFT: u8 = 32uy -val compute_one_hint (low high gamma2: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - val get_n_least_significant_bits (n: u8) (value: u64) : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) -val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_fe_by_fer (fe fer: i32) - : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val decompose_element (gamma2 r: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) - -val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) - -val use_one_hint (gamma2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val compute_one_hint (low high gamma2: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + val compute_hint (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (gamma2: i32) @@ -36,9 +28,9 @@ val compute_hint Prims.l_True (fun _ -> Prims.l_True) -val decompose - (gamma2: i32) - (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -50,38 +42,46 @@ val infinity_norm_exceeds (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - Prims.l_True - (fun _ -> Prims.l_True) +val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant +val shift_left_then_reduce + (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (c: i32) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) -val power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) +val decompose_element (gamma2 r: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (gamma2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val decompose + (gamma2: i32) + (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) Prims.l_True (fun _ -> Prims.l_True) -val shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) +val use_hint (gamma2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) -val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) +val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_fe_by_fer (fe fer: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (c: i32) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) -val use_hint (gamma2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index d950169bc..c0abeeb68 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -3,6 +3,150 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error open Core open FStar.Mul +let serialize_when_eta_is_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let coefficient0:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient2:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient3:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient4:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient5:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient6:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient7:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) + <: + i32) + <: + u8 + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (((coefficient2 <>! 2l <: u8) + <: + u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 2) + (((coefficient7 <>! 1l <: u8) + <: + u8) + in + serialized + +let serialize_when_eta_is_4_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < serialize_when_eta_is_2_ simd_unit serialized + | Libcrux_ml_dsa.Constants.Eta_Four -> serialize_when_eta_is_4_ simd_unit serialized + in + serialized + let deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -193,147 +337,3 @@ let deserialize | Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_when_eta_is_4_ serialized out in out - -let serialize_when_eta_is_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) - in - () - in - let coefficient0:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient1:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient2:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient3:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient4:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient5:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient6:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient7:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) - <: - i32) - <: - u8 - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 0) - (((coefficient2 <>! 2l <: u8) - <: - u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 2) - (((coefficient7 <>! 1l <: u8) - <: - u8) - in - serialized - -let serialize_when_eta_is_4_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = - cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 - in - let coefficient1:u8 = - cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - i - ((coefficient1 < serialize_when_eta_is_2_ simd_unit serialized - | Libcrux_ml_dsa.Constants.Eta_Four -> serialize_when_eta_is_4_ simd_unit serialized - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti index 6ebce847f..5cfa7a48c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -3,14 +3,28 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error open Core open FStar.Mul -let deserialize_when_eta_is_2___ETA: i32 = 2l - -let deserialize_when_eta_is_4___ETA: i32 = 4l - let serialize_when_eta_is_2___ETA: i32 = 2l +val serialize_when_eta_is_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + let serialize_when_eta_is_4___ETA: i32 = 4l +val serialize_when_eta_is_4_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (eta: Libcrux_ml_dsa.Constants.t_Eta) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +let deserialize_when_eta_is_2___ETA: i32 = 2l + val deserialize_when_eta_is_2_ (serialized: t_Slice u8) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -18,6 +32,8 @@ val deserialize_when_eta_is_2_ Prims.l_True (fun _ -> Prims.l_True) +let deserialize_when_eta_is_4___ETA: i32 = 4l + val deserialize_when_eta_is_4_ (serialized: t_Slice u8) (simd_units: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -32,19 +48,3 @@ val deserialize : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_eta_is_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_eta_is_4_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (eta: Libcrux_ml_dsa.Constants.t_Eta) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index 6a637b6b9..db22697c6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -3,6 +3,177 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 open Core open FStar.Mul +let serialize_when_gamma1_is_2_pow_17_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let coefficient2:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32) + in + let coefficient3:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 6l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 14l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. + (cast (coefficient2 <>! 4l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + (cast (coefficient2 >>! 12l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. + (cast (coefficient3 <>! 2l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 8 <: usize) + (cast (coefficient3 >>! 10l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize_when_gamma1_is_2_pow_19_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 4l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 12l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + (gamma1_exponent: usize) + = + let serialized:t_Slice u8 = + match cast (gamma1_exponent <: usize) <: u8 with + | 17uy -> serialize_when_gamma1_is_2_pow_17_ simd_unit serialized + | 19uy -> serialize_when_gamma1_is_2_pow_19_ simd_unit serialized + | _ -> serialized + in + serialized + let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -204,174 +375,3 @@ let deserialize | _ -> out in out - -let serialize_when_gamma1_is_2_pow_17_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) - in - let coefficient1:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) - in - let coefficient2:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32) - in - let coefficient3:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 9 *! i <: usize) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 1 <: usize) - (cast (coefficient0 >>! 8l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 2 <: usize) - (cast (coefficient0 >>! 16l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 2 <: usize) - ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. - (cast (coefficient1 <>! 6l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 4 <: usize) - (cast (coefficient1 >>! 14l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 4 <: usize) - ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. - (cast (coefficient2 <>! 4l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 6 <: usize) - (cast (coefficient2 >>! 12l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 6 <: usize) - ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. - (cast (coefficient3 <>! 2l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 8 <: usize) - (cast (coefficient3 >>! 10l <: i32) <: u8) - in - serialized) - in - serialized - -let serialize_when_gamma1_is_2_pow_19_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:i32 = - serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) - in - let coefficient1:i32 = - serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 5 *! i <: usize) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 1 <: usize) - (cast (coefficient0 >>! 8l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - (cast (coefficient0 >>! 16l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. - (cast (coefficient1 <>! 4l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 4 <: usize) - (cast (coefficient1 >>! 12l <: i32) <: u8) - in - serialized) - in - serialized - -let serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - = - let serialized:t_Slice u8 = - match cast (gamma1_exponent <: usize) <: u8 with - | 17uy -> serialize_when_gamma1_is_2_pow_17_ simd_unit serialized - | 19uy -> serialize_when_gamma1_is_2_pow_19_ simd_unit serialized - | _ -> serialized - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti index 4c6ce1b08..674b82261 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -3,19 +3,30 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) -let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True) -let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) -let serialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True) +let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True) - -val serialize_when_gamma1_is_2_pow_17_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_gamma1_is_2_pow_19_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - (gamma1_exponent: usize) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst index e39c1468a..6e36d4fd7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -6,6 +6,144 @@ open FStar.Mul let change_t0_interval (t0: i32) = (1l <>! 8l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + (cast (coefficient1 >>! 11l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 4) + ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + (cast (coefficient3 >>! 9l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + (cast (coefficient4 >>! 12l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9) + ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + (cast (coefficient6 >>! 10l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) + in + serialized + let deserialize (serialized: t_Slice u8) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -164,141 +302,3 @@ let deserialize Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients in simd_unit - -let serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) - in - () - in - let coefficient0:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32) - in - let coefficient1:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32) - in - let coefficient2:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32) - in - let coefficient3:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32) - in - let coefficient4:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32) - in - let coefficient5:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32) - in - let coefficient6:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32) - in - let coefficient7:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 0) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 1) - (cast (coefficient0 >>! 8l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 1) - ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 3) - (cast (coefficient1 >>! 11l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 3) - ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 4) - ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 6) - (cast (coefficient3 >>! 9l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 6) - ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 8) - (cast (coefficient4 >>! 12l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 8) - ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 9) - ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 11) - (cast (coefficient6 >>! 10l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 11) - ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti index 6d5bd9cba..d7d151e10 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti @@ -5,6 +5,11 @@ open FStar.Mul val change_t0_interval (t0: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1l < Prims.l_True) - -val serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst index 80f5daa84..042122b1d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -3,6 +3,67 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul +let serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool) + in + () + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) + <: + u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) + <: + u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 3 <: usize) + (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) + <: + u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) + in + serialized) + in + serialized + let deserialize (serialized: t_Slice u8) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) @@ -87,64 +148,3 @@ let deserialize simd_unit) in simd_unit - -let serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool) - in - () - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 5 *! i <: usize) - (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 1 <: usize) - (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) - <: - u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) - <: - u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 3 <: usize) - (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) - <: - u8) - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 4 <: usize) - (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) - in - serialized) - in - serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti index 2ae66a6cb..726580f6d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti @@ -3,14 +3,14 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul +val serialize + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + val deserialize (serialized: t_Slice u8) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst index e31da3316..e6edfbc00 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst @@ -155,127 +155,6 @@ let simd_unit_invert_ntt_at_layer_0_ in simd_unit -let invert_ntt_at_layer_0___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) - (index: usize) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - index - (simd_unit_invert_ntt_at_layer_0_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - zeta0 - zeta1 - zeta2 - zeta3 - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - in - re - -let invert_ntt_at_layer_0_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 3) (-2286327l) (-420899l) (-2235985l) (-2939036l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 5) 1910376l (-1803090l) 1723600l (-426683l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 7) 269760l 3866901l 3523897l (-3038916l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 9) 3014001l 1616392l 162844l (-3183426l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 11) (-164721l) 2454455l 2432395l (-2013608l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 13) (-1846953l) (-1671176l) (-2831860l) (-542412l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 15) (-1374803l) (-2546312l) 1917081l (-1279661l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 17) (-1430225l) (-3318210l) 1237275l (-1333058l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 21) 1265009l (-2590150l) 2691481l 2842341l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 23) 4108315l (-2437823l) 286988l 342297l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 25) 3207046l 2031748l (-3122442l) (-655327l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 27) 819034l 909542l 1859098l 900702l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 29) 3513181l (-1235728l) 2434439l 266997l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_0___round re (sz 31) 3817976l 2316500l 3407706l 2091667l - in - re - let simd_unit_invert_ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (zeta0 zeta1: i32) @@ -422,125 +301,6 @@ let simd_unit_invert_ntt_at_layer_1_ in simd_unit -let invert_ntt_at_layer_1___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) - (index: usize) - (zeta_00_ zeta_01_: i32) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - index - (simd_unit_invert_ntt_at_layer_1_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - zeta_00_ - zeta_01_ - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - in - re - -let invert_ntt_at_layer_1_ - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 1) (-3881060l) (-3019102l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 3) (-1584928l) 1285669l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 5) (-177440l) (-2409325l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 7) (-3553272l) 189548l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 9) (-210977l) 2389356l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 11) (-8578l) (-3724342l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 13) (-1100098l) 44288l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 15) 264944l (-3343383l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 17) 1349076l (-381987l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 19) (-1228525l) (-671102l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 21) (-3693493l) (-2967645l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 23) (-983419l) 3412210l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 25) (-3157330l) (-3190144l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 27) 1939314l (-1257611l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 29) 3475950l (-1452451l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - invert_ntt_at_layer_1___round re (sz 31) (-1528703l) (-3930395l) - in - re - let simd_unit_invert_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (zeta: i32) @@ -683,6 +443,246 @@ let simd_unit_invert_ntt_at_layer_2_ in simd_unit +let invert_ntt_at_layer_0___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (index: usize) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_invert_ntt_at_layer_0_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta0 + zeta1 + zeta2 + zeta3 + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + re + +let invert_ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 3) (-2286327l) (-420899l) (-2235985l) (-2939036l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 5) 1910376l (-1803090l) 1723600l (-426683l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 7) 269760l 3866901l 3523897l (-3038916l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 9) 3014001l 1616392l 162844l (-3183426l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 11) (-164721l) 2454455l 2432395l (-2013608l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 13) (-1846953l) (-1671176l) (-2831860l) (-542412l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 15) (-1374803l) (-2546312l) 1917081l (-1279661l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 17) (-1430225l) (-3318210l) 1237275l (-1333058l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 21) 1265009l (-2590150l) 2691481l 2842341l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 23) 4108315l (-2437823l) 286988l 342297l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 25) 3207046l 2031748l (-3122442l) (-655327l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 27) 819034l 909542l 1859098l 900702l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 29) 3513181l (-1235728l) 2434439l 266997l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_0___round re (sz 31) 3817976l 2316500l 3407706l 2091667l + in + re + +let invert_ntt_at_layer_1___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (index: usize) + (zeta_00_ zeta_01_: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_invert_ntt_at_layer_1_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta_00_ + zeta_01_ + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + re + +let invert_ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 1) (-3881060l) (-3019102l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 3) (-1584928l) 1285669l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 5) (-177440l) (-2409325l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 7) (-3553272l) 189548l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 9) (-210977l) 2389356l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 11) (-8578l) (-3724342l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 13) (-1100098l) 44288l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 15) 264944l (-3343383l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 17) 1349076l (-381987l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 19) (-1228525l) (-671102l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 21) (-3693493l) (-2967645l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 23) (-983419l) 3412210l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 25) (-3157330l) (-3190144l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 27) 1939314l (-1257611l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 29) 3475950l (-1452451l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + invert_ntt_at_layer_1___round re (sz 31) (-1528703l) (-3930395l) + in + re + let invert_ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti index d5accef63..60ae81a83 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti @@ -36,6 +36,20 @@ val simd_unit_invert_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) +val simd_unit_invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + val invert_ntt_at_layer_0___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) @@ -50,13 +64,6 @@ val invert_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) -val simd_unit_invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (zeta0 zeta1: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - Prims.l_True - (fun _ -> Prims.l_True) - val invert_ntt_at_layer_1___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) @@ -71,13 +78,6 @@ val invert_ntt_at_layer_1_ Prims.l_True (fun _ -> Prims.l_True) -val simd_unit_invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - Prims.l_True - (fun _ -> Prims.l_True) - val invert_ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index a3cb8b326..e986c9984 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -141,125 +141,6 @@ let simd_unit_ntt_at_layer_0_ in simd_unit -let ntt_at_layer_0___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) - (index: usize) - (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - index - (simd_unit_ntt_at_layer_0_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - zeta_0_ - zeta_1_ - zeta_2_ - zeta_3_ - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - in - re - -let ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l - in - re - let simd_unit_ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (zeta1 zeta2: i32) @@ -398,123 +279,6 @@ let simd_unit_ntt_at_layer_1_ in simd_unit -let ntt_at_layer_1___round - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) - (index: usize) - (zeta_0_ zeta_1_: i32) - = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - index - (simd_unit_ntt_at_layer_1_ (re.[ index ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - zeta_0_ - zeta_1_ - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - in - re - -let ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 9) 2147896l 2715295l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 17) 508951l 3097992l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 19) 904516l 3958618l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 23) 759969l (-1316856l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 27) 1315589l 1341330l - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = - ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l - in - re - let simd_unit_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) (zeta: i32) @@ -653,6 +417,242 @@ let simd_unit_ntt_at_layer_2_ in simd_unit +let ntt_at_layer_0___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_ntt_at_layer_0_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + re + +let ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l + in + re + +let ntt_at_layer_1___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) + (index: usize) + (zeta_0_ zeta_1_: i32) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (simd_unit_ntt_at_layer_1_ (re.[ index ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + zeta_0_ + zeta_1_ + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + in + re + +let ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 9) 2147896l 2715295l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 17) 508951l 3097992l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 19) 904516l 3958618l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 23) 759969l (-1316856l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 27) 1315589l 1341330l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) = + ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l + in + re + let ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index 71ab0dd53..9260ae01e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -30,6 +30,20 @@ val simd_unit_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_at_layer_0___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) @@ -43,13 +57,6 @@ val ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coef Prims.l_True (fun _ -> Prims.l_True) -val simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (zeta1 zeta2: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - Prims.l_True - (fun _ -> Prims.l_True) - val ntt_at_layer_1___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) @@ -63,13 +70,6 @@ val ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coef Prims.l_True (fun _ -> Prims.l_True) -val simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients - Prims.l_True - (fun _ -> Prims.l_True) - val ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) (index: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst index b381e5f1b..5eaf95b8b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -3,6 +3,37 @@ module Libcrux_ml_dsa.Simd.Portable.Sample open Core open FStar.Mul +let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks_exact #u8 randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8) + <: + Core.Slice.Iter.t_ChunksExact u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ bytes -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let bytes:t_Slice u8 = bytes in + let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let coefficient:i32 = + (((b2 < - let out, sampled:(t_Slice i32 & usize) = temp_0_ in - let bytes:t_Slice u8 = bytes in - let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in - let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in - let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in - let coefficient:i32 = - (((b2 < Prims.l_True) -val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) +val rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) -val rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) +val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst index 8ef8d81cb..e22fddbe3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -17,6 +17,10 @@ let impl_1 = impl_1' let zero (_: Prims.unit) = { f_values = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_Coefficients +let to_coefficient_array (value: t_Coefficients) (out: t_Slice i32) = + let out:t_Slice i32 = Core.Slice.impl__copy_from_slice #i32 out (value.f_values <: t_Slice i32) in + out + let from_coefficient_array (array: t_Slice i32) (out: t_Coefficients) = let out:t_Coefficients = { @@ -38,7 +42,3 @@ let from_coefficient_array (array: t_Slice i32) (out: t_Coefficients) = t_Coefficients in out - -let to_coefficient_array (value: t_Coefficients) (out: t_Slice i32) = - let out:t_Slice i32 = Core.Slice.impl__copy_from_slice #i32 out (value.f_values <: t_Slice i32) in - out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti index 9084fe638..3e5a91527 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti @@ -13,8 +13,8 @@ val impl_1:Core.Marker.t_Copy t_Coefficients val zero: Prims.unit -> Prims.Pure t_Coefficients Prims.l_True (fun _ -> Prims.l_True) -val from_coefficient_array (array: t_Slice i32) (out: t_Coefficients) - : Prims.Pure t_Coefficients Prims.l_True (fun _ -> Prims.l_True) - val to_coefficient_array (value: t_Coefficients) (out: t_Slice i32) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) + +val from_coefficient_array (array: t_Slice i32) (out: t_Coefficients) + : Prims.Pure t_Coefficients Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index b67afeff8..de175f072 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -3,6 +3,15 @@ module Libcrux_ml_dsa.Simd.Traits open Core open FStar.Mul +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 + +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL + class t_Operations (v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_13011033735201511749:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9529721400157967266:Core.Clone.t_Clone v_Self; @@ -156,12 +165,3 @@ class t_Operations (v_Self: Type0) = { (f_invert_ntt_montgomery_pre x0) (fun result -> f_invert_ntt_montgomery_post x0 result) } - -let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 - -let v_FIELD_MODULUS: i32 = 8380417l - -let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL - -let v_SIMD_UNITS_IN_RING_ELEMENT: usize = - Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index 18c957ce8..41c19ffa2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -3,56 +3,67 @@ module Libcrux_ml_dsa.Types open Core open FStar.Mul -let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE) -let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_1 (v_SIZE: usize) = impl_1' v_SIZE -let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl__zero (v_SIZE: usize) (_: Prims.unit) = + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASigningKey v_SIZE -let impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value +let impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = + { f_value = value } <: t_MLDSASigningKey v_SIZE -let impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = - { f_value = value } <: t_MLDSASignature v_SIZE +let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8 let impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value -let impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = - { f_value = value } <: t_MLDSASigningKey v_SIZE +let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_3': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE) + +let impl_3 (v_SIZE: usize) = impl_3' v_SIZE + +let impl_2__zero (v_SIZE: usize) (_: Prims.unit) = + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSAVerificationKey v_SIZE let impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = { f_value = value } <: t_MLDSAVerificationKey v_SIZE -let t_SigningError_cast_to_repr (x: t_SigningError) = - match x <: t_SigningError with - | SigningError_RejectionSamplingError -> isz 0 - | SigningError_ContextTooLongError -> isz 1 +let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = + self.f_value <: t_Slice u8 -let t_VerificationError_cast_to_repr (x: t_VerificationError) = - match x <: t_VerificationError with - | VerificationError_MalformedHintError -> isz 0 - | VerificationError_SignerResponseExceedsBoundError -> isz 1 - | VerificationError_CommitmentHashesDontMatchError -> isz 3 - | VerificationError_VerificationContextTooLongError -> isz 6 +let impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value + +let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_1': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE) +val impl_5': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASignature v_SIZE) -let impl_1 (v_SIZE: usize) = impl_1' v_SIZE +let impl_5 (v_SIZE: usize) = impl_5' v_SIZE -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_3': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE) +let impl_4__zero (v_SIZE: usize) (_: Prims.unit) = + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASignature v_SIZE -let impl_3 (v_SIZE: usize) = impl_3' v_SIZE +let impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = + { f_value = value } <: t_MLDSASignature v_SIZE -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_5': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASignature v_SIZE) +let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value <: t_Slice u8 -let impl_5 (v_SIZE: usize) = impl_5' v_SIZE +let impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value + +let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let t_VerificationError_cast_to_repr (x: t_VerificationError) = + match x <: t_VerificationError with + | VerificationError_MalformedHintError -> isz 0 + | VerificationError_SignerResponseExceedsBoundError -> isz 1 + | VerificationError_CommitmentHashesDontMatchError -> isz 3 + | VerificationError_VerificationContextTooLongError -> isz 6 [@@ FStar.Tactics.Typeclasses.tcinstance] assume @@ -60,24 +71,13 @@ val impl_6': Core.Fmt.t_Debug t_VerificationError let impl_6 = impl_6' +let t_SigningError_cast_to_repr (x: t_SigningError) = + match x <: t_SigningError with + | SigningError_RejectionSamplingError -> isz 0 + | SigningError_ContextTooLongError -> isz 1 + [@@ FStar.Tactics.Typeclasses.tcinstance] assume val impl_7': Core.Fmt.t_Debug t_SigningError let impl_7 = impl_7' - -let impl__zero (v_SIZE: usize) (_: Prims.unit) = - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASigningKey v_SIZE - -let impl_2__zero (v_SIZE: usize) (_: Prims.unit) = - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSAVerificationKey v_SIZE - -let impl_4__zero (v_SIZE: usize) (_: Prims.unit) = - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASignature v_SIZE - -let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8 - -let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = - self.f_value <: t_Slice u8 - -let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti index 03b14dde4..54f32683e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -3,49 +3,82 @@ module Libcrux_ml_dsa.Types open Core open FStar.Mul -/// The number of bytes -val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - -/// The number of bytes -val impl_2__len: v_SIZE: usize -> Prims.unit - -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - -/// The number of bytes -val impl_4__len: v_SIZE: usize -> Prims.unit - -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +///An ML-DSA signature key. +type t_MLDSASigningKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -///An ML-DSA signature. -type t_MLDSASignature (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE) -/// A reference to the raw byte array. -val impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// Init with zero +val impl__zero: v_SIZE: usize -> Prims.unit + -> Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Build -val impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) - : Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) + : Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) -///An ML-DSA signature key. -type t_MLDSASigningKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +/// A reference to the raw byte slice. +val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// A reference to the raw byte array. val impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) -/// Build -val impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) - : Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// The number of bytes +val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ///An ML-DSA verification key. type t_MLDSAVerificationKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_3 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE) + +/// Init with zero +val impl_2__zero: v_SIZE: usize -> Prims.unit + -> Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Build +val impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) + : Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + /// A reference to the raw byte array. val impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// The number of bytes +val impl_2__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +///An ML-DSA signature. +type t_MLDSASignature (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_5 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASignature v_SIZE) + +/// Init with zero +val impl_4__zero: v_SIZE: usize -> Prims.unit + -> Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + /// Build -val impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) - : Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) + : Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte array. +val impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_4__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// An ML-DSA key pair. type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = { @@ -53,13 +86,6 @@ type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE } -type t_SigningError = - | SigningError_RejectionSamplingError : t_SigningError - | SigningError_ContextTooLongError : t_SigningError - -val t_SigningError_cast_to_repr (x: t_SigningError) - : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) - type t_VerificationError = | VerificationError_MalformedHintError : t_VerificationError | VerificationError_SignerResponseExceedsBoundError : t_VerificationError @@ -70,40 +96,14 @@ val t_VerificationError_cast_to_repr (x: t_VerificationError) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_3 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE) +val impl_6:Core.Fmt.t_Debug t_VerificationError -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_5 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASignature v_SIZE) +type t_SigningError = + | SigningError_RejectionSamplingError : t_SigningError + | SigningError_ContextTooLongError : t_SigningError -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_6:Core.Fmt.t_Debug t_VerificationError +val t_SigningError_cast_to_repr (x: t_SigningError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_7:Core.Fmt.t_Debug t_SigningError - -/// Init with zero -val impl__zero: v_SIZE: usize -> Prims.unit - -> Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Init with zero -val impl_2__zero: v_SIZE: usize -> Prims.unit - -> Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Init with zero -val impl_4__zero: v_SIZE: usize -> Prims.unit - -> Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// A reference to the raw byte slice. -val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// A reference to the raw byte slice. -val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// A reference to the raw byte slice. -val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 184d21930..e5061f519 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -97,9 +97,6 @@ let compare (lhs rhs: t_Slice u8) = in is_non_zero r -let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = - Core.Hint.black_box #u8 (compare lhs rhs <: u8) - #push-options "--ifuel 0 --z3rlimit 50" let select_ct (lhs rhs: t_Slice u8) (selector: u8) = @@ -186,6 +183,9 @@ let select_ct (lhs rhs: t_Slice u8) (selector: u8) = #pop-options +let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = + Core.Hint.black_box #u8 (compare lhs rhs <: u8) + let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index 981aa5aa1..34491dcac 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -30,14 +30,6 @@ val compare (lhs rhs: t_Slice u8) let result:u8 = result in (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) -val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) - : Prims.Pure u8 - (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) - /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. val select_ct (lhs rhs: t_Slice u8) (selector: u8) @@ -50,6 +42,14 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8) let result:t_Array u8 (sz 32) = result in (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) +val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) + : Prims.Pure u8 + (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) + (ensures + fun result -> + let result:u8 = result in + (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) (requires diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti index 1c3fdf673..e50920433 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti @@ -15,13 +15,13 @@ let v_BITS_PER_RING_ELEMENT: usize = v_COEFFICIENTS_IN_RING_ELEMENT *! sz 12 /// Bytes required per (uncompressed) ring element let v_BYTES_PER_RING_ELEMENT: usize = v_BITS_PER_RING_ELEMENT /! sz 8 -let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = sz 32 +/// The size of an ML-KEM shared secret. +let v_SHARED_SECRET_SIZE: usize = sz 32 -/// SHA3 512 digest size -let v_G_DIGEST_SIZE: usize = sz 64 +let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = sz 32 /// SHA3 256 digest size let v_H_DIGEST_SIZE: usize = sz 32 -/// The size of an ML-KEM shared secret. -let v_SHARED_SECRET_SIZE: usize = sz 32 +/// SHA3 512 digest size +let v_G_DIGEST_SIZE: usize = sz 64 diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst index e5d447350..b35c46a25 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst @@ -8,12 +8,6 @@ val t_Simd256Hash': eqtype let t_Simd256Hash = t_Simd256Hash' -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K - -let impl (v_K: usize) = impl' v_K - assume val v_G': input: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 64)) @@ -79,3 +73,9 @@ val shake128_squeeze_next_block': v_K: usize -> st: t_Simd256Hash (fun _ -> Prims.l_True) let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K + +let impl (v_K: usize) = impl' v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti index c830bb8f6..d57a03f50 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -8,9 +8,6 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_Simd256Hash:eqtype -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K - val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True @@ -55,3 +52,6 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst index 8c2d78e3f..71d96ffcd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst @@ -8,12 +8,6 @@ val t_Simd128Hash': eqtype let t_Simd128Hash = t_Simd128Hash' -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K - -let impl (v_K: usize) = impl' v_K - assume val v_G': input: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 64)) @@ -79,3 +73,9 @@ val shake128_squeeze_next_block': v_K: usize -> st: t_Simd128Hash (fun _ -> Prims.l_True) let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K + +let impl (v_K: usize) = impl' v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti index 1a7c6875a..31ac2d75f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -8,9 +8,6 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_Simd128Hash:eqtype -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K - val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True @@ -55,3 +52,6 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst index 7ed902f04..688ad2278 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst @@ -8,12 +8,6 @@ val t_PortableHash': v_K: usize -> eqtype let t_PortableHash (v_K: usize) = t_PortableHash' v_K -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K - -let impl (v_K: usize) = impl' v_K - assume val v_G': input: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 64)) @@ -79,3 +73,9 @@ val shake128_squeeze_next_block': v_K: usize -> st: t_PortableHash v_K (fun _ -> Prims.l_True) let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K + +let impl (v_K: usize) = impl' v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti index 661213d58..6d8dee682 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -8,9 +8,6 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_PortableHash (v_K: usize) : eqtype -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K - val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True @@ -55,3 +52,6 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst index ec28ee0ba..d3c42e003 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst @@ -13,59 +13,65 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let decapsulate_avx2 - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - key_pair ciphertext - -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K +let unpack_public_key_avx2 + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext + let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + public_key + unpacked_public_key + in + unpacked_public_key -let encapsulate_avx2 - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness + let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + unpack_public_key_avx2 v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + unpacked_public_key + in + unpacked_public_key -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: +let keypair_from_private_key + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) = - encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Unpacked.keys_from_private_key v_K + v_SECRET_KEY_SIZE + v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_T_AS_NTT_ENCODED_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + private_key + key_pair + in + key_pair let generate_keypair_avx2 (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: @@ -106,62 +112,56 @@ let generate_keypair in out -let keypair_from_private_key - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: +let encapsulate_avx2 + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Libcrux_ml_kem.Ind_cca.Unpacked.keys_from_private_key v_K - v_SECRET_KEY_SIZE - v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT - v_T_AS_NTT_ENCODED_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - private_key - key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness -let unpack_public_key_avx2 - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) = - let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K - v_T_AS_NTT_ENCODED_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - public_key - unpacked_public_key - in - unpacked_public_key + encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness -let unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K +let decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - unpack_public_key_avx2 v_K - v_T_AS_NTT_ENCODED_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - public_key - unpacked_public_key - in - unpacked_public_key + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + key_pair ciphertext + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti index b55a38fd3..97a744e17 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti @@ -13,47 +13,88 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -val decapsulate_avx2 - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +/// Get the unpacked public key. +val unpack_public_key_avx2 + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Take a serialized private key and generate an unpacked key pair from it. +val keypair_from_private_key + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) (fun _ -> Prims.l_True) -/// Unpacked decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +val generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (key_pair: + (randomness: t_Array u8 (sz 64)) + (out: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) val encapsulate_avx2 @@ -97,86 +138,45 @@ val encapsulate v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) -val generate_keypair_avx2 - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Generate a key pair -val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +val decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (randomness: t_Array u8 (sz 64)) - (out: + (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K) + Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) -/// Take a serialized private key and generate an unpacked key pair from it. -val keypair_from_private_key - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val unpack_public_key_avx2 - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires - Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index c6fa41647..6b2425a23 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -13,6 +13,15 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key_only + (v_K v_SECRET_KEY_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K + v_SECRET_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + private_key + let validate_private_key_avx2 (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) @@ -31,61 +40,6 @@ let validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = validate_private_key_avx2 v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE private_key ciphertext -let validate_private_key_only - (v_K v_SECRET_KEY_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K - v_SECRET_KEY_SIZE - #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - private_key - -let decapsulate_avx2 - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE - v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext - -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext - -let encapsulate_avx2 - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR - v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - #Libcrux_ml_kem.Variant.t_MlKem public_key randomness - -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - = - encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness - let generate_keypair_avx2 (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) @@ -124,3 +78,49 @@ let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = validate_public_key_avx2 v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key + +let encapsulate_avx2 + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Variant.t_MlKem public_key randomness + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness + +let decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE + v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index d31791ba7..70335cba3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -13,6 +13,15 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Private key validation +val validate_private_key_only + (v_K v_SECRET_KEY_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + : Prims.Pure bool + (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K + ) + (fun _ -> Prims.l_True) + val validate_private_key_avx2 (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) @@ -33,57 +42,53 @@ val validate_private_key v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) -/// Private key validation -val validate_private_key_only - (v_K v_SECRET_KEY_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - : Prims.Pure bool - (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K - ) - (fun _ -> Prims.l_True) - -val decapsulate_avx2 - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +/// Portable generate key pair. +val generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + (fun _ -> Prims.l_True) + +val validate_public_key_avx2 + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) val encapsulate_avx2 @@ -124,51 +129,46 @@ val encapsulate v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) -/// Portable generate key pair. -val generate_keypair_avx2 - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +val decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) -val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -val validate_public_key_avx2 - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst index c6b885fed..793237fb4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst @@ -13,52 +13,25 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext - -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness - -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness - out + public_key + unpacked_public_key in - out + unpacked_public_key let keypair_from_private_key (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: @@ -82,22 +55,49 @@ let keypair_from_private_key in key_pair -let unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K - v_T_AS_NTT_ENCODED_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - public_key - unpacked_public_key + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness + out in - unpacked_public_key + out + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti index 05e8e5cd5..bdaffe833 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti @@ -13,29 +13,58 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Unpacked decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Take a serialized private key and generate an unpacked key pair from it. +val keypair_from_private_key + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) /// Unpacked encapsulate @@ -60,56 +89,27 @@ val encapsulate v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) -/// Generate a key pair -val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Take a serialized private key and generate an unpacked key pair from it. -val keypair_from_private_key - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index 30ff60795..4ca52082b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -13,18 +13,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_private_key v_K - v_SECRET_KEY_SIZE - v_CIPHERTEXT_SIZE - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash - private_key - ciphertext - let validate_private_key_only (v_K v_SECRET_KEY_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) @@ -34,33 +22,18 @@ let validate_private_key_only #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash private_key -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE - v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem private_key + Libcrux_ml_kem.Ind_cca.validate_private_key v_K + v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + private_key ciphertext -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key - randomness - let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) @@ -80,3 +53,30 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector public_key + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key + randomness + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE + v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem private_key + ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index fd97941df..8c194ab44 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -13,17 +13,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Private key validation -val validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) - /// Private key validation val validate_private_key_only (v_K v_SECRET_KEY_SIZE: usize) @@ -33,46 +22,15 @@ val validate_private_key_only ) (fun _ -> Prims.l_True) -/// Portable decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) +/// Private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + : Prims.Pure bool (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) - -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) /// Portable generate key pair. @@ -100,3 +58,45 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) + +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Portable decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst index c32203958..b1d3208cb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst @@ -13,52 +13,25 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext - -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness - -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem - randomness out + public_key + unpacked_public_key in - out + unpacked_public_key let keypair_from_private_key (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: @@ -82,22 +55,49 @@ let keypair_from_private_key in key_pair -let unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K - v_T_AS_NTT_ENCODED_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - public_key - unpacked_public_key + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem + randomness out in - unpacked_public_key + out + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti index f406d6a8f..61be48b3e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti @@ -13,29 +13,58 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Unpacked decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (requires + Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Take a serialized private key and generate an unpacked key pair from it. +val keypair_from_private_key + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (requires + Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) /// Unpacked encapsulate @@ -60,56 +89,27 @@ val encapsulate v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) -/// Generate a key pair -val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Take a serialized private key and generate an unpacked key pair from it. -val keypair_from_private_key - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (requires - Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 414098242..9641398ce 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -13,40 +13,47 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) +let validate_private_key_only + (v_K v_SECRET_KEY_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - Libcrux_ml_kem.Ind_cca.validate_private_key v_K + Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K v_SECRET_KEY_SIZE - v_CIPHERTEXT_SIZE #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) private_key - ciphertext -let validate_private_key_only - (v_K v_SECRET_KEY_SIZE: usize) +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - Libcrux_ml_kem.Ind_cca.validate_private_key_only v_K + Libcrux_ml_kem.Ind_cca.validate_private_key v_K v_SECRET_KEY_SIZE + v_CIPHERTEXT_SIZE #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) private_key + ciphertext -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE - v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem - private_key ciphertext + randomness + +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -61,23 +68,16 @@ let encapsulate #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem public_key randomness -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (randomness: t_Array u8 (sz 64)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE + v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem - randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - public_key + private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 19dc4859d..174839740 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -13,17 +13,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Private key validation -val validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) - /// Private key validation val validate_private_key_only (v_K v_SECRET_KEY_SIZE: usize) @@ -33,46 +22,15 @@ val validate_private_key_only ) (fun _ -> Prims.l_True) -/// Portable decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) +/// Private key validation +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + : Prims.Pure bool (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) - -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) /// Portable generate key pair. @@ -100,3 +58,45 @@ val validate_public_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) + +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Portable decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index ca7056f6c..198dc312e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -23,33 +23,41 @@ let validate_public_key v_PUBLIC_KEY_SIZE public_key -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + (randomness: t_Array u8 (sz 64)) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate v_K v_SECRET_KEY_SIZE - v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - private_key ciphertext + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + randomness else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate v_K v_SECRET_KEY_SIZE - v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - private_key ciphertext + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + randomness else - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate v_K v_SECRET_KEY_SIZE - v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - private_key ciphertext + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + randomness let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -76,38 +84,30 @@ let encapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (randomness: t_Array u8 (sz 64)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - randomness + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate v_K v_SECRET_KEY_SIZE + v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + private_key ciphertext else if Libcrux_platform.Platform.simd128_support () then - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - randomness + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate v_K v_SECRET_KEY_SIZE + v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + private_key ciphertext else - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - randomness + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate v_K v_SECRET_KEY_SIZE + v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index 4fc70d000..6ea9eb00f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -23,26 +23,18 @@ val validate_public_key v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) (fun _ -> Prims.l_True) -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) + (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) val encapsulate @@ -64,16 +56,24 @@ val encapsulate v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) (fun _ -> Prims.l_True) -val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index 74db3dabb..da85765fc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -15,14 +15,23 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let impl_4__private_key +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_2': + v_K: usize -> + #v_Vector: Type0 -> + {| i1: Core.Clone.t_Clone v_Vector |} -> + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + -> Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector) + +let impl_2 (v_K: usize) (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - = self.f_private_key + = impl_2' v_K #v_Vector #i1 #i2 let impl_4__public_key (v_K: usize) @@ -33,23 +42,14 @@ let impl_4__public_key (self: t_MlKemKeyPairUnpacked v_K v_Vector) = self.f_public_key -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_2': - v_K: usize -> - #v_Vector: Type0 -> - {| i1: Core.Clone.t_Clone v_Vector |} -> - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - -> Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector) - -let impl_2 +let impl_4__private_key (v_K: usize) (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - = impl_2' v_K #v_Vector #i1 #i2 + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_private_key #push-options "--z3rlimit 200" @@ -223,6 +223,122 @@ let impl_4__new = Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + = + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + #v_Vector + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let _:Prims.unit = + let _, seed = split public_key.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) in + Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed; + Lib.Sequence.eq_intro #u8 + #32 + (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32) + seed + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Libcrux_ml_kem.Utils.into_padded_array (sz 32) + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_ind_cpa_public_key + = + { + unpacked_public_key.f_ind_cpa_public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) + (public_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + <: + t_Array u8 (sz 34)) + false + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = + { + unpacked_public_key with + f_public_key_hash + = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + } + <: + t_MlKemPublicKeyUnpacked v_K v_Vector + in + unpacked_public_key + let keys_from_private_key (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: usize) @@ -392,191 +508,6 @@ let impl_4__from_private_key in out -let unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Hasher #v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - = - let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = - { - unpacked_public_key with - f_ind_cpa_public_key - = - { - unpacked_public_key.f_ind_cpa_public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K - #v_Vector - (public_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE - } - <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) - unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector - } - <: - t_MlKemPublicKeyUnpacked v_K v_Vector - in - let _:Prims.unit = - let _, seed = split public_key.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) in - Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed; - Lib.Sequence.eq_intro #u8 - #32 - (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32) - seed - in - let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = - { - unpacked_public_key with - f_ind_cpa_public_key - = - { - unpacked_public_key.f_ind_cpa_public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A - = - Libcrux_ml_kem.Utils.into_padded_array (sz 32) - (public_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE - } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector - } - <: - t_MlKemPublicKeyUnpacked v_K v_Vector - in - let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = - { - unpacked_public_key with - f_ind_cpa_public_key - = - { - unpacked_public_key.f_ind_cpa_public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) - (public_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE - } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - <: - t_Array u8 (sz 34)) - false - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector - } - <: - t_MlKemPublicKeyUnpacked v_K v_Vector - in - let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector = - { - unpacked_public_key with - f_public_key_hash - = - Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) - } - <: - t_MlKemPublicKeyUnpacked v_K v_Vector - in - unpacked_public_key - -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - (randomness: t_Array u8 (sz 32)) - = - let _:Prims.unit = - Lib.Sequence.eq_intro #u8 - #32 - (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 64) randomness) 0 32) - randomness - in - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) - in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (public_key.f_public_key_hash <: t_Slice u8) - <: - t_Slice u8) - in - let _:Prims.unit = - Lib.Sequence.eq_intro #u8 #64 to_hash (concat randomness public_key.f_public_key_hash) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - public_key.f_ind_cpa_public_key randomness pseudorandomness - in - let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let shared_secret_array:t_Array u8 (sz 32) = - Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret - in - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - #FStar.Tactics.Typeclasses.solve - ciphertext, - shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - let impl_3__serialized_mut (v_K: usize) (#v_Vector: Type0) @@ -905,6 +836,75 @@ let impl_4__serialized_private_key in sk +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + (randomness: t_Array u8 (sz 32)) + = + let _:Prims.unit = + Lib.Sequence.eq_intro #u8 + #32 + (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 64) randomness) 0 32) + randomness + in + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) + in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (public_key.f_public_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let _:Prims.unit = + Lib.Sequence.eq_intro #u8 #64 to_hash (concat randomness public_key.f_public_key_hash) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + public_key.f_ind_cpa_public_key randomness pseudorandomness + in + let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let shared_secret_array:t_Array u8 (sz 32) = + Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret + in + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + #FStar.Tactics.Typeclasses.solve + ciphertext, + shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + #push-options "--z3rlimit 200 --ext context_pruning --z3refresh" let decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index a6eb033b1..b190d8fc8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -31,6 +31,14 @@ type t_MlKemPublicKeyUnpacked f_public_key_hash:t_Array u8 (sz 32) } +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2 + (v_K: usize) + (#v_Vector: Type0) + {| i1: Core.Clone.t_Clone v_Vector |} + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + : Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector) + /// An unpacked ML-KEM KeyPair type t_MlKemKeyPairUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -40,28 +48,20 @@ type t_MlKemKeyPairUnpacked } /// Get the serialized public key. -val impl_4__private_key +val impl_4__public_key (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Get the serialized public key. -val impl_4__public_key +val impl_4__private_key (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2 - (v_K: usize) - (#v_Vector: Type0) - {| i1: Core.Clone.t_Clone v_Vector |} - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - : Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) val transpose_a (v_K: usize) @@ -106,40 +106,6 @@ val impl_4__new: Prims.unit -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Take a serialized private key and generate an unpacked key pair from it. -val keys_from_private_key - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Take a serialized private key and generate an unpacked key pair from it. -val impl_4__from_private_key - (v_K: usize) - (#v_Vector: Type0) - (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: - usize) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) - (fun _ -> Prims.l_True) - /// Generate an unpacked key from a serialized key. val unpack_public_key (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -171,44 +137,39 @@ val unpack_public_key deserialized_pk /\ unpacked_public_key_future.f_ind_cpa_public_key.f_seed_for_A == seed /\ unpacked_public_key_future.f_public_key_hash == public_key_hash) -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: +/// Take a serialized private key and generate an unpacked key pair from it. +val keys_from_private_key + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (ensures - fun temp_0_ -> - let ciphertext_result, shared_secret_array:(Libcrux_ml_kem.Types.t_MlKemCiphertext - v_CIPHERTEXT_SIZE & - t_Array u8 (sz 32)) = - temp_0_ - in - let ciphertext, shared_secret = - Spec.MLKEM.ind_cca_unpack_encapsulate v_K - public_key.f_public_key_hash - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K - #v_Vector - public_key.f_ind_cpa_public_key.f_t_as_ntt) - (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K - #v_Vector - public_key.f_ind_cpa_public_key.f_A) - randomness - in - ciphertext_result.f_value == ciphertext /\ shared_secret_array == shared_secret) + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) + +/// Take a serialized private key and generate an unpacked key pair from it. +val impl_4__from_private_key + (v_K: usize) + (#v_Vector: Type0) + (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE: + usize) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) + (fun _ -> Prims.l_True) /// Get the serialized public key. val impl_3__serialized_mut @@ -390,6 +351,45 @@ val impl_4__serialized_private_key v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K) (fun _ -> Prims.l_True) +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (ensures + fun temp_0_ -> + let ciphertext_result, shared_secret_array:(Libcrux_ml_kem.Types.t_MlKemCiphertext + v_CIPHERTEXT_SIZE & + t_Array u8 (sz 32)) = + temp_0_ + in + let ciphertext, shared_secret = + Spec.MLKEM.ind_cca_unpack_encapsulate v_K + public_key.f_public_key_hash + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K + #v_Vector + public_key.f_ind_cpa_public_key.f_t_as_ntt) + (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K + #v_Vector + public_key.f_ind_cpa_public_key.f_A) + randomness + in + ciphertext_result.f_value == ciphertext /\ shared_secret_array == shared_secret) + val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index a6ffee609..9e4e2b44f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -12,55 +12,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -#push-options "--z3rlimit 300" - -let validate_private_key_only - (v_K v_SECRET_KEY_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - = - let t:t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (private_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = sz 384 *! v_K <: usize; - Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let expected:t_Slice u8 = - private_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; - Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - in - t =. expected - -#pop-options - -#push-options "--z3rlimit 300" - -let validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = validate_private_key_only v_K v_SECRET_KEY_SIZE #v_Hasher private_key - -#pop-options - #push-options "--z3rlimit 150" let serialize_kem_secret_key_mut @@ -237,92 +188,50 @@ let serialize_kem_secret_key #push-options "--z3rlimit 300" -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) +let validate_private_key_only + (v_K v_SECRET_KEY_SIZE: usize) + (#v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: + i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) = - let randomness:t_Array u8 (sz 32) = - Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme + let t:t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K #FStar.Tactics.Typeclasses.solve - v_K - #v_Hasher - (randomness <: t_Slice u8) - in - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) - in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) - <: - t_Slice u8) + (private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = sz 384 *! v_K <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize + } + <: + Core.Ops.Range.t_Range usize ] <: t_Slice u8) in - let _:Prims.unit = - assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); - lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); - assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness - pseudorandomness - in - let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - #FStar.Tactics.Typeclasses.solve - ciphertext - in - let shared_secret_array:t_Array u8 (sz 32) = - Libcrux_ml_kem.Variant.f_kdf #v_Scheme - #FStar.Tactics.Typeclasses.solve - v_K - v_CIPHERTEXT_SIZE - #v_Hasher - shared_secret - ciphertext + let expected:t_Slice u8 = + private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize + } + <: + Core.Ops.Range.t_Range usize ] in - ciphertext, shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + t =. expected + +#pop-options + +#push-options "--z3rlimit 300" + +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = validate_private_key_only v_K v_SECRET_KEY_SIZE #v_Hasher private_key #pop-options @@ -420,6 +329,97 @@ let generate_keypair #pop-options +#push-options "--z3rlimit 300" + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + let randomness:t_Array u8 (sz 32) = + Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + #v_Hasher + (randomness <: t_Slice u8) + in + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) + in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + let _:Prims.unit = + assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); + lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); + assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + pseudorandomness + in + let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + #FStar.Tactics.Typeclasses.solve + ciphertext + in + let shared_secret_array:t_Array u8 (sz 32) = + Libcrux_ml_kem.Variant.f_kdf #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + v_CIPHERTEXT_SIZE + #v_Hasher + shared_secret + ciphertext + in + ciphertext, shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + +#pop-options + #push-options "--z3rlimit 500" let decapsulate diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 057295e89..477c4634b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -12,41 +12,13 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Seed size for encapsulation -let v_ENCAPS_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - /// Seed size for key generation let v_KEY_GENERATION_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -/// Validate an ML-KEM private key. -/// This implements the Hash check in 7.3 3. -val validate_private_key_only - (v_K v_SECRET_KEY_SIZE: usize) - (#v_Hasher: Type0) - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - : Prims.Pure bool - (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K - ) - (fun _ -> Prims.l_True) - -/// Validate an ML-KEM private key. -/// This implements the Hash check in 7.3 3. -/// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` -/// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. -val validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) +/// Seed size for encapsulation +let v_ENCAPS_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /// Serialize the secret key. val serialize_kem_secret_key_mut @@ -88,35 +60,33 @@ val serialize_kem_secret_key (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) )) -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) +/// Validate an ML-KEM private key. +/// This implements the Hash check in 7.3 3. +val validate_private_key_only + (v_K v_SECRET_KEY_SIZE: usize) + (#v_Hasher: Type0) + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + : Prims.Pure bool + (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K + ) + (fun _ -> Prims.l_True) + +/// Validate an ML-KEM private key. +/// This implements the Hash check in 7.3 3. +/// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` +/// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. +val validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) - (ensures - fun result -> - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - = - result - in - let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in - valid ==> (result._1.f_value, result._2) == expected) + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) + (fun _ -> Prims.l_True) /// Validate an ML-KEM public key. /// This implements the Modulus check in 7.2 2. @@ -162,6 +132,36 @@ val generate_keypair let expected, valid = Spec.MLKEM.ind_cca_generate_keypair v_K randomness in valid ==> (result.f_sk.f_value, result.f_pk.f_value) == expected) +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + (ensures + fun result -> + let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + = + result + in + let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in + valid ==> (result._1.f_value, result._2) == expected) + /// This code verifies on some machines, runs out of memory on others val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index a0e42d84a..d10ca0a38 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -12,6 +12,142 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let sample_ring_element_cbd_helper_1 + (v_K: usize) + (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) : Lemma + (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\ + (forall (i: nat). i < v v_K ==> + v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\ + Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32)) + (ensures prf_inputs == createi v_K + (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K + (Seq.slice prf_input 0 32) (sz (v domain_separator)))) + = + let lemma_aux (i: nat{i < v v_K}) : Lemma + (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1 + (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) = + Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ] + (Seq.append (Seq.slice prf_input 0 32) + (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i)))) + in + Classical.forall_intro lemma_aux; + Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs + (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K + (Seq.slice prf_input 0 32) (sz (v domain_separator)))) + +let sample_ring_element_cbd_helper_2 + (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) : Lemma + (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v domain_separator < 2 * v v_K /\ + (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE + (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K + (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in + forall (i: nat). i < v v_K ==> + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] == + Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ])) + (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 == + (Spec.MLKEM.sample_vector_cbd2 #v_K + (Seq.slice prf_input 0 32) (sz (v domain_separator)))) + = + Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K) + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) + (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator))) + +#push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always" + +let sample_ring_element_cbd + (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + = + let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in + let v__domain_separator_init:u8 = domain_separator in + let tmp0, out:(t_Array (t_Array u8 (sz 33)) v_K & u8) = + Libcrux_ml_kem.Utils.prf_input_inc v_K prf_inputs domain_separator + in + let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = tmp0 in + let domain_separator:u8 = out in + let _:Prims.unit = + sample_ring_element_cbd_helper_1 v_K prf_inputs prf_input v__domain_separator_init + in + let (prf_outputs: t_Array (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K):t_Array + (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K = + Libcrux_ml_kem.Hash_functions.f_PRFxN #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + v_ETA2_RANDOMNESS_SIZE + prf_inputs + in + let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun error_1_ i -> + let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + error_1_ + in + let i:usize = i in + forall (j: nat). + j < v i ==> + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1_.[ sz j ] == + Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz j ]) + error_1_ + (fun error_1_ i -> + let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + error_1_ + in + let i:usize = i in + let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_ + i + (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2 + #v_Vector + (prf_outputs.[ i ] <: t_Slice u8) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + error_1_) + in + let _:Prims.unit = + sample_ring_element_cbd_helper_2 v_K + v_ETA2 + v_ETA2_RANDOMNESS_SIZE + #v_Vector + error_1_ + prf_input + v__domain_separator_init + in + error_1_, domain_separator + <: + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + +#pop-options + #push-options "--z3rlimit 800 --ext context_pruning" let deserialize_secret_key @@ -163,93 +299,7 @@ let build_unpacked_public_key in unpacked_public_key -#push-options "--z3rlimit 800 --ext context_pruning" - -let deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /! - sz 8) == - v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! - v_U_COMPRESSION_FACTOR - <: - usize) /! - sz 8 - <: - usize) - (ciphertext <: t_Slice u8) - (fun u_as_ntt i -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i:usize = i in - forall (j: nat). - j < v i ==> - j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <= - v v_CIPHERTEXT_SIZE /\ - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) == - Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR) - (Seq.slice ciphertext - (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) - (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))) - )) - u_as_ntt - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i, u_bytes:(usize & t_Slice u8) = temp_1_ in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR - #v_Vector - u_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR - #v_Vector - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - u_as_ntt) - in - let _:Prims.unit = - Lib.Sequence.eq_intro #Spec.MLKEM.polynomial - #(v v_K) - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt) - (let open Spec.MLKEM in - vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))) - in - u_as_ntt - -#pop-options - -let sample_ring_element_cbd_helper_1 +let sample_vector_cbd_then_ntt_helper_1 (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (prf_input: t_Array u8 (sz 33)) @@ -259,7 +309,7 @@ let sample_ring_element_cbd_helper_1 v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\ Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32)) (ensures prf_inputs == createi v_K - (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K + (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))) = let lemma_aux (i: nat{i < v v_K}) : Lemma @@ -271,172 +321,36 @@ let sample_ring_element_cbd_helper_1 in Classical.forall_intro lemma_aux; Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs - (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K + (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))) -let sample_ring_element_cbd_helper_2 - (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) +let sample_vector_cbd_then_ntt_helper_2 + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Lemma - (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + (requires Spec.MLKEM.is_rank v_K /\ v_ETA == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ v domain_separator < 2 * v v_K /\ - (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE - (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K + (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA_RANDOMNESS_SIZE + (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in forall (i: nat). i < v v_K ==> - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] == - Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ])) - (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 == - (Spec.MLKEM.sample_vector_cbd2 #v_K + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_as_ntt.[ sz i ] == + Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd v_ETA prf_outputs.[ sz i ]))) + (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt == + (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))) = + reveal_opaque (`%Spec.MLKEM.sample_vector_cbd_then_ntt) (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K); Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K) - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1) - (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator))) - -#push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always" - -let sample_ring_element_cbd - (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (prf_input: t_Array u8 (sz 33)) - (domain_separator: u8) - = - let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in - let v__domain_separator_init:u8 = domain_separator in - let tmp0, out:(t_Array (t_Array u8 (sz 33)) v_K & u8) = - Libcrux_ml_kem.Utils.prf_input_inc v_K prf_inputs domain_separator - in - let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = tmp0 in - let domain_separator:u8 = out in - let _:Prims.unit = - sample_ring_element_cbd_helper_1 v_K prf_inputs prf_input v__domain_separator_init - in - let (prf_outputs: t_Array (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K):t_Array - (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K = - Libcrux_ml_kem.Hash_functions.f_PRFxN #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - v_ETA2_RANDOMNESS_SIZE - prf_inputs - in - let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun error_1_ i -> - let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - error_1_ - in - let i:usize = i in - forall (j: nat). - j < v i ==> - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1_.[ sz j ] == - Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz j ]) - error_1_ - (fun error_1_ i -> - let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - error_1_ - in - let i:usize = i in - let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_ - i - (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2 - #v_Vector - (prf_outputs.[ i ] <: t_Slice u8) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - error_1_) - in - let _:Prims.unit = - sample_ring_element_cbd_helper_2 v_K - v_ETA2 - v_ETA2_RANDOMNESS_SIZE - #v_Vector - error_1_ - prf_input - v__domain_separator_init - in - error_1_, domain_separator - <: - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - -#pop-options - -let sample_vector_cbd_then_ntt_helper_1 - (v_K: usize) - (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) - (prf_input: t_Array u8 (sz 33)) - (domain_separator: u8) : Lemma - (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\ - (forall (i: nat). i < v v_K ==> - v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\ - Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32)) - (ensures prf_inputs == createi v_K - (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K - (Seq.slice prf_input 0 32) (sz (v domain_separator)))) - = - let lemma_aux (i: nat{i < v v_K}) : Lemma - (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1 - (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) = - Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ] - (Seq.append (Seq.slice prf_input 0 32) - (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i)))) - in - Classical.forall_intro lemma_aux; - Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs - (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K - (Seq.slice prf_input 0 32) (sz (v domain_separator)))) - -let sample_vector_cbd_then_ntt_helper_2 - (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (prf_input: t_Array u8 (sz 33)) - (domain_separator: u8) : Lemma - (requires Spec.MLKEM.is_rank v_K /\ v_ETA == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v domain_separator < 2 * v v_K /\ - (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA_RANDOMNESS_SIZE - (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K - (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in - forall (i: nat). i < v v_K ==> - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re_as_ntt.[ sz i ] == - Spec.MLKEM.poly_ntt (Spec.MLKEM.sample_poly_cbd v_ETA prf_outputs.[ sz i ]))) - (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt == - (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K - (Seq.slice prf_input 0 32) (sz (v domain_separator)))) - = - reveal_opaque (`%Spec.MLKEM.sample_vector_cbd_then_ntt) (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K); - Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K) - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt) - (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K - (Seq.slice prf_input 0 32) (sz (v domain_separator))) + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt) + (Spec.MLKEM.sample_vector_cbd_then_ntt #v_K + (Seq.slice prf_input 0 32) (sz (v domain_separator))) #push-options "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always" @@ -562,6 +476,92 @@ let sample_vector_cbd_then_ntt_out <: (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) +#push-options "--z3rlimit 800 --ext context_pruning" + +let deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /! + sz 8) == + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! + v_U_COMPRESSION_FACTOR + <: + usize) /! + sz 8 + <: + usize) + (ciphertext <: t_Slice u8) + (fun u_as_ntt i -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i:usize = i in + forall (j: nat). + j < v i ==> + j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <= + v v_CIPHERTEXT_SIZE /\ + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) == + Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR) + (Seq.slice ciphertext + (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) + (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))) + )) + u_as_ntt + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i, u_bytes:(usize & t_Slice u8) = temp_1_ in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR + #v_Vector + u_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR + #v_Vector + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + u_as_ntt) + in + let _:Prims.unit = + Lib.Sequence.eq_intro #Spec.MLKEM.polynomial + #(v v_K) + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt) + (let open Spec.MLKEM in + vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))) + in + u_as_ntt + +#pop-options + #push-options "--z3rlimit 500 --ext context_pruning --z3refresh" let generate_keypair_unpacked @@ -766,282 +766,25 @@ let decrypt secret_key_unpacked ciphertext -#push-options "--z3rlimit 800 --ext context_pruning --z3refresh" +#push-options "--z3rlimit 1000 --ext context_pruning --z3refresh" -let compress_then_serialize_u - (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) +let serialize_secret_key + (v_K v_OUT_LEN: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (out: t_Slice u8) + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let _:Prims.unit = - assert (v (sz 32 *! v_COMPRESSION_FACTOR) == 32 * v v_COMPRESSION_FACTOR); - assert (v (v_OUT_LEN /! v_K) == v v_OUT_LEN / v v_K); - assert (v v_OUT_LEN / v v_K == 32 * v v_COMPRESSION_FACTOR) - in - let out:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_enumerated_slice input + let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in + let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let out:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_enumerated_slice key (fun out i -> - let out:t_Slice u8 = out in + let out:t_Array u8 v_OUT_LEN = out in let i:usize = i in (v i < v v_K ==> - Seq.length out == v v_OUT_LEN /\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input (v i))) /\ - (forall (j: nat). - j < v i ==> - Seq.length out == v v_OUT_LEN /\ (j + 1) * (v v_OUT_LEN / v v_K) <= Seq.length out /\ - (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) == - Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) - (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))))) - out - (fun out temp_1_ -> - let out:t_Slice u8 = out in - let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_1_ - in - let _:Prims.unit = - assert (forall (j: nat). - j < v i ==> - ((Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) == - Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) - (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))))) - in - let out:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_u v_COMPRESSION_FACTOR - v_BLOCK_LEN - #v_Vector - re - <: - t_Slice u8) - <: - t_Slice u8) - in - let _:Prims.unit = - let lemma_aux (j: nat{j < v i}) - : Lemma - (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) == - Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) - (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))) = - Lib.Sequence.eq_intro #u8 - #(v v_OUT_LEN / v v_K) - (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K))) - (Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) - (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))) - in - Classical.forall_intro lemma_aux - in - out) - in - let _:Prims.unit = - Lib.Sequence.eq_intro #u8 - #(v v_OUT_LEN) - out - (Spec.MLKEM.compress_then_encode_u #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector input)) - in - out - -#pop-options - -#push-options "--z3rlimit 200" - -let encrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - = - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = - Libcrux_ml_kem.Utils.into_padded_array (sz 33) randomness - in - let r_as_ntt, domain_separator:(t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - sample_vector_cbd_then_ntt_out v_K - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - #v_Vector - #v_Hasher - prf_input - 0uy - in - let _:Prims.unit = - Lib.Sequence.eq_intro #u8 #32 randomness (Seq.slice prf_input 0 32); - assert (v domain_separator == v v_K) - in - let error_1_, domain_separator:(t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - sample_ring_element_cbd v_K - v_ETA2_RANDOMNESS_SIZE - v_ETA2 - #v_Vector - #v_Hasher - prf_input - domain_separator - in - let prf_input:t_Array u8 (sz 33) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator - in - let _:Prims.unit = - assert (Seq.equal prf_input (Seq.append randomness (Seq.create 1 domain_separator))); - assert (prf_input == Seq.append randomness (Seq.create 1 domain_separator)) - in - let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = - Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - v_ETA2_RANDOMNESS_SIZE - (prf_input <: t_Slice u8) - in - let error_2_:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2 - #v_Vector - (prf_output <: t_Slice u8) - in - let u:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Matrix.compute_vector_u v_K - #v_Vector - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - r_as_ntt - error_1_ - in - let message_as_ring_element:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Serialize.deserialize_then_decompress_message #v_Vector message - in - let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Matrix.compute_ring_element_v v_K - #v_Vector - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - r_as_ntt - error_2_ - message_as_ring_element - in - let _:Prims.unit = - assert (v_C1_LEN = Spec.MLKEM.v_C1_SIZE v_K); - assert (v_C2_LEN = Spec.MLKEM.v_C2_SIZE v_K); - assert (v_CIPHERTEXT_SIZE == v_C1_LEN +! v_C2_LEN); - assert (v_C1_LEN <=. v_CIPHERTEXT_SIZE) - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Rust_primitives.Hax.repeat 0uy v_CIPHERTEXT_SIZE in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range ciphertext - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_C1_LEN } - <: - Core.Ops.Range.t_Range usize) - (compress_then_serialize_u v_K - v_C1_LEN - v_U_COMPRESSION_FACTOR - v_BLOCK_LEN - #v_Vector - u - (ciphertext.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_C1_LEN } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext - ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) - (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_v v_K - v_V_COMPRESSION_FACTOR - v_C2_LEN - #v_Vector - v - (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let _:Prims.unit = - lemma_slice_append ciphertext - (Seq.slice ciphertext 0 (Rust_primitives.v v_C1_LEN)) - (Seq.slice ciphertext (Rust_primitives.v v_C1_LEN) (Seq.length ciphertext)) - in - ciphertext - -#pop-options - -#push-options "--z3rlimit 500 --ext context_pruning" - -let encrypt - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: t_Slice u8) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - = - let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt in - let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - build_unpacked_public_key v_K v_T_AS_NTT_ENCODED_SIZE #v_Vector #v_Hasher public_key - in - encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN - v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness - -#pop-options - -#push-options "--z3rlimit 1000 --ext context_pruning --z3refresh" - -let serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in - let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let out:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_enumerated_slice key - (fun out i -> - let out:t_Array u8 v_OUT_LEN = out in - let i:usize = i in - (v i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) /\ + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) /\ (forall (j: nat). j < v i ==> (j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= Seq.length out /\ @@ -1280,3 +1023,260 @@ let generate_keypair #v_Vector public_key private_key + +#push-options "--z3rlimit 800 --ext context_pruning --z3refresh" + +let compress_then_serialize_u + (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (out: t_Slice u8) + = + let _:Prims.unit = + assert (v (sz 32 *! v_COMPRESSION_FACTOR) == 32 * v v_COMPRESSION_FACTOR); + assert (v (v_OUT_LEN /! v_K) == v v_OUT_LEN / v v_K); + assert (v v_OUT_LEN / v v_K == 32 * v v_COMPRESSION_FACTOR) + in + let out:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice input + (fun out i -> + let out:t_Slice u8 = out in + let i:usize = i in + (v i < v v_K ==> + Seq.length out == v v_OUT_LEN /\ + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input (v i))) /\ + (forall (j: nat). + j < v i ==> + Seq.length out == v v_OUT_LEN /\ (j + 1) * (v v_OUT_LEN / v v_K) <= Seq.length out /\ + (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) == + Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) + (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))))) + out + (fun out temp_1_ -> + let out:t_Slice u8 = out in + let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in + let _:Prims.unit = + assert (forall (j: nat). + j < v i ==> + ((Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) == + Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) + (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))))) + in + let out:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_u v_COMPRESSION_FACTOR + v_BLOCK_LEN + #v_Vector + re + <: + t_Slice u8) + <: + t_Slice u8) + in + let _:Prims.unit = + let lemma_aux (j: nat{j < v i}) + : Lemma + (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K)) == + Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) + (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))) = + Lib.Sequence.eq_intro #u8 + #(v v_OUT_LEN / v v_K) + (Seq.slice out (j * (v v_OUT_LEN / v v_K)) (((j + 1)) * (v v_OUT_LEN / v v_K))) + (Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) + (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index input j))) + in + Classical.forall_intro lemma_aux + in + out) + in + let _:Prims.unit = + Lib.Sequence.eq_intro #u8 + #(v v_OUT_LEN) + out + (Spec.MLKEM.compress_then_encode_u #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector input)) + in + out + +#pop-options + +#push-options "--z3rlimit 200" + +let encrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + = + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = + Libcrux_ml_kem.Utils.into_padded_array (sz 33) randomness + in + let r_as_ntt, domain_separator:(t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = + sample_vector_cbd_then_ntt_out v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + prf_input + 0uy + in + let _:Prims.unit = + Lib.Sequence.eq_intro #u8 #32 randomness (Seq.slice prf_input 0 32); + assert (v domain_separator == v v_K) + in + let error_1_, domain_separator:(t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = + sample_ring_element_cbd v_K + v_ETA2_RANDOMNESS_SIZE + v_ETA2 + #v_Vector + #v_Hasher + prf_input + domain_separator + in + let prf_input:t_Array u8 (sz 33) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator + in + let _:Prims.unit = + assert (Seq.equal prf_input (Seq.append randomness (Seq.create 1 domain_separator))); + assert (prf_input == Seq.append randomness (Seq.create 1 domain_separator)) + in + let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = + Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + v_ETA2_RANDOMNESS_SIZE + (prf_input <: t_Slice u8) + in + let error_2_:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2 + #v_Vector + (prf_output <: t_Slice u8) + in + let u:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Libcrux_ml_kem.Matrix.compute_vector_u v_K + #v_Vector + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + r_as_ntt + error_1_ + in + let message_as_ring_element:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Serialize.deserialize_then_decompress_message #v_Vector message + in + let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Matrix.compute_ring_element_v v_K + #v_Vector + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + r_as_ntt + error_2_ + message_as_ring_element + in + let _:Prims.unit = + assert (v_C1_LEN = Spec.MLKEM.v_C1_SIZE v_K); + assert (v_C2_LEN = Spec.MLKEM.v_C2_SIZE v_K); + assert (v_CIPHERTEXT_SIZE == v_C1_LEN +! v_C2_LEN); + assert (v_C1_LEN <=. v_CIPHERTEXT_SIZE) + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Rust_primitives.Hax.repeat 0uy v_CIPHERTEXT_SIZE in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range ciphertext + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_C1_LEN } + <: + Core.Ops.Range.t_Range usize) + (compress_then_serialize_u v_K + v_C1_LEN + v_U_COMPRESSION_FACTOR + v_BLOCK_LEN + #v_Vector + u + (ciphertext.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_C1_LEN } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext + ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) + (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_v v_K + v_V_COMPRESSION_FACTOR + v_C2_LEN + #v_Vector + v + (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let _:Prims.unit = + lemma_slice_append ciphertext + (Seq.slice ciphertext 0 (Rust_primitives.v v_C1_LEN)) + (Seq.slice ciphertext (Rust_primitives.v v_C1_LEN) (Seq.length ciphertext)) + in + ciphertext + +#pop-options + +#push-options "--z3rlimit 500 --ext context_pruning" + +let encrypt + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: t_Slice u8) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + = + let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_encrypt) Spec.MLKEM.ind_cpa_encrypt in + let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + build_unpacked_public_key v_K v_T_AS_NTT_ENCODED_SIZE #v_Vector #v_Hasher public_key + in + encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN + v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness + +#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index 981a0c86e..c436f28d9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -12,6 +12,29 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Sample a vector of ring elements from a centered binomial distribution. +val sample_ring_element_cbd + (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + (requires + Spec.MLKEM.is_rank v_K /\ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ v domain_separator < 2 * v v_K /\ + range (v domain_separator + v v_K) u8_inttype) + (ensures + fun temp_0_ -> + let err1, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = + temp_0_ + in + v ds == v domain_separator + v v_K /\ + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector err1 == + Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator))) + /// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. val deserialize_secret_key (v_K: usize) @@ -80,47 +103,6 @@ val build_unpacked_public_key Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector result.f_A == Spec.MLKEM.matrix_transpose matrix_A_as_ntt)) -/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element -/// in the `ciphertext`. -val deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) - -/// Sample a vector of ring elements from a centered binomial distribution. -val sample_ring_element_cbd - (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (prf_input: t_Array u8 (sz 33)) - (domain_separator: u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ v domain_separator < 2 * v v_K /\ - range (v domain_separator + v v_K) u8_inttype) - (ensures - fun temp_0_ -> - let err1, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - temp_0_ - in - v ds == v domain_separator + v v_K /\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector err1 == - Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator))) - /// Sample a vector of ring elements from a centered binomial distribution and /// convert them into their NTT representations. val sample_vector_cbd_then_ntt @@ -177,6 +159,24 @@ val sample_vector_cbd_then_ntt_out (Seq.slice prf_input 0 32) (sz (v domain_separator))) +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +val deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) + (ensures + fun res -> + let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == + Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) + /// This function implements most of Algorithm 12 of the /// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. /// We say \"most of\" since Algorithm 12 samples the required randomness within @@ -314,6 +314,105 @@ val decrypt let result:t_Array u8 (sz 32) = result in result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) +/// Call [`serialize_uncompressed_ring_element`] for each ring element. +val serialize_secret_key + (v_K v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires + Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i))) + (ensures + fun res -> + let res:t_Array u8 v_OUT_LEN = res in + res == + Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) + (ensures + fun serialized_future -> + let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in + serialized_future == + Seq.append (Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) + seed_for_a) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) + (ensures + fun res -> + let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in + res == + Seq.append (Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) + seed_for_a) + +/// Serialize the secret key from the unpacked key pair generation. +val serialize_unpacked_secret_key + (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_keypair + (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} + (key_generation_seed: t_Slice u8) + : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) + (ensures + fun result -> + let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in + let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in + valid ==> result == expected) + /// Call [`compress_then_serialize_ring_element_u`] on each ring element. val compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) @@ -429,102 +528,3 @@ val encrypt let result:t_Array u8 v_CIPHERTEXT_SIZE = result in let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in valid ==> result == expected) - -/// Call [`serialize_uncompressed_ring_element`] for each ring element. -val serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i))) - (ensures - fun res -> - let res:t_Array u8 v_OUT_LEN = res in - res == - Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key_mut - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) - (ensures - fun serialized_future -> - let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in - serialized_future == - Seq.append (Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) - seed_for_a) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) - (ensures - fun res -> - let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in - res == - Seq.append (Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) - seed_for_a) - -/// Serialize the secret key from the unpacked key pair generation. -val serialize_unpacked_secret_key - (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -val generate_keypair - (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (key_generation_seed: t_Slice u8) - : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) - (ensures - fun result -> - let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in - let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in - valid ==> result == expected) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst index c405a03d7..ac4b10e1b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -9,26 +9,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let inv_ntt_layer_int_vec_step_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (a b: v_Vector) - (zeta_r: i16) - = - let a_minus_b:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve b a - in - let a:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a b <: v_Vector - ) - in - let b:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector a_minus_b zeta_r in - a, b <: (v_Vector & v_Vector) - #push-options "--z3rlimit 200 --ext context_pruning" let invert_ntt_at_layer_1_ @@ -261,6 +241,26 @@ let invert_ntt_at_layer_3_ #pop-options +let inv_ntt_layer_int_vec_step_reduce + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (a b: v_Vector) + (zeta_r: i16) + = + let a_minus_b:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve b a + in + let a:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a b <: v_Vector + ) + in + let b:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector a_minus_b zeta_r in + a, b <: (v_Vector & v_Vector) + #push-options "--admit_smt_queries true" let invert_ntt_at_layer_4_plus diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti index 52d37549d..884460991 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti @@ -9,28 +9,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -val inv_ntt_layer_int_vec_step_reduce - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a b: v_Vector) - (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\ - Spec.Utils.is_i16b_array 28296 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b))) - (fun _ -> Prims.l_True) - [@@ "opaque_to_smt"] let invert_ntt_re_range_1 (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -90,6 +68,28 @@ val invert_ntt_at_layer_3_ in invert_ntt_re_range_2 re_future /\ v zeta_i_future == 16) +val inv_ntt_layer_int_vec_step_reduce + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a b: v_Vector) + (zeta_r: i16) + : Prims.Pure (v_Vector & v_Vector) + (requires + Spec.Utils.is_i16b 1664 zeta_r /\ + (forall i. + i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) - + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\ + (forall i. + i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\ + Spec.Utils.is_i16b_array 28296 + (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b))) + (fun _ -> Prims.l_True) + val invert_ntt_at_layer_4_plus (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index 6c1d41758..4e0739b87 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -137,101 +137,6 @@ let sample_matrix_A let _:Prims.unit = result in v_A_transpose -let compute_As_plus_e - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (matrix_A: - t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (s_as_ntt error_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_slice (matrix_A - <: - t_Slice (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) - (fun tt_as_ntt temp_1_ -> - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - tt_as_ntt - in - let _:usize = temp_1_ in - true) - tt_as_ntt - (fun tt_as_ntt temp_1_ -> - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - tt_as_ntt - in - let i, row:(usize & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - temp_1_ - in - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt - i - (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_slice (row - <: - t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)) - (fun tt_as_ntt temp_1_ -> - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - tt_as_ntt - in - let _:usize = temp_1_ in - true) - tt_as_ntt - (fun tt_as_ntt temp_1_ -> - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - tt_as_ntt - in - let j, matrix_element:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_1_ - in - let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector - matrix_element - (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt - i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector - v_K - (tt_as_ntt.[ i ] - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - product - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - tt_as_ntt) - in - let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt - i - (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector - (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - tt_as_ntt) - in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let _:Prims.unit = result in - tt_as_ntt - #push-options "--admit_smt_queries true" let compute_message @@ -427,3 +332,98 @@ let compute_vector_u result #pop-options + +let compute_As_plus_e + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (matrix_A: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (s_as_ntt error_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_slice (matrix_A + <: + t_Slice (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + tt_as_ntt + in + let _:usize = temp_1_ in + true) + tt_as_ntt + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + tt_as_ntt + in + let i, row:(usize & + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = + temp_1_ + in + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt + i + (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)) + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + tt_as_ntt + in + let _:usize = temp_1_ in + true) + tt_as_ntt + (fun tt_as_ntt temp_1_ -> + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + tt_as_ntt + in + let j, matrix_element:(usize & + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in + let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + matrix_element + (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt + i + (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + v_K + (tt_as_ntt.[ i ] + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + product + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + tt_as_ntt) + in + let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt + i + (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector + (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + tt_as_ntt) + in + let result:Prims.unit = () <: Prims.unit in + let _:Prims.unit = admit () (* Panic freedom *) in + let _:Prims.unit = result in + tt_as_ntt diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 8c4c95e96..13f83c59a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -36,34 +36,6 @@ val sample_matrix_A Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == Spec.MLKEM.matrix_transpose matrix_A)) -/// Compute  ◦ ŝ + ê -val compute_As_plus_e - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (matrix_A: - t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (s_as_ntt error_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun tt_as_ntt_future -> - let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - tt_as_ntt_future - in - let open Libcrux_ml_kem.Polynomial in - to_spec_vector_t tt_as_ntt_future = - Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A) - (to_spec_vector_t s_as_ntt) - (to_spec_vector_t error_as_ntt) /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt_future - i))) - /// The following functions compute various expressions involving /// vectors and matrices. The computation of these expressions has been /// abstracted away into these functions in order to save on loop iterations. @@ -134,3 +106,31 @@ val compute_vector_u (forall (i: nat). i < v v_K ==> Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i))) + +/// Compute  ◦ ŝ + ê +val compute_As_plus_e + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (matrix_A: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (s_as_ntt error_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires Spec.MLKEM.is_rank v_K) + (ensures + fun tt_as_ntt_future -> + let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + tt_as_ntt_future + in + let open Libcrux_ml_kem.Polynomial in + to_spec_vector_t tt_as_ntt_future = + Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A) + (to_spec_vector_t s_as_ntt) + (to_spec_vector_t error_as_ntt) /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt_future + i))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst index be6ebd525..49434de05 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 1536) - (sz 1568) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -69,75 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 1536) - (sz 1568) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1536) + (sz 1568) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -186,3 +132,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti index 72df96050..f4bbb7ad0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (requires + forall (i: nat). + i < 4 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,10 +47,11 @@ val key_pair_serialized_private_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key +val key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (requires forall (i: nat). @@ -46,11 +63,10 @@ val key_pair_serialized_public_key (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key_mut +val key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (requires forall (i: nat). @@ -61,71 +77,6 @@ val key_pair_serialized_public_key_mut i)) (fun _ -> Prims.l_True) -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (requires - forall (i: nat). - i < 4 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -157,3 +108,52 @@ val unpacked_public_key : Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index c9b450487..0e4037437 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -16,20 +16,11 @@ let validate_private_key let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) = Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 4) (sz 3168) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) - (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) - (sz 1600) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) - (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair (sz 4) @@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) + (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) + (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) + (sz 1600) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 763fc3d71..0b95c612c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 1024 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 1024 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 1024 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst index 865f73d20..d1f661394 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 1536) - (sz 1568) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -69,75 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 1536) - (sz 1568) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1536) + (sz 1568) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -186,3 +132,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti index 3b4eb1833..4cc5d2da0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (requires + forall (i: nat). + i < 4 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,10 +47,11 @@ val key_pair_serialized_private_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key +val key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (requires forall (i: nat). @@ -46,11 +63,10 @@ val key_pair_serialized_public_key (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key_mut +val key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (requires forall (i: nat). @@ -61,75 +77,6 @@ val key_pair_serialized_public_key_mut i)) (fun _ -> Prims.l_True) -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (requires - forall (i: nat). - i < 4 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -169,3 +116,56 @@ val unpacked_public_key Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index f664c07b3..fcf5aa3dc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -16,20 +16,11 @@ let validate_private_key let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) = Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 4) (sz 3168) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) - (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) - (sz 1600) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) - (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair (sz 4) @@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) + (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) + (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) + (sz 1600) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index 097585875..8cffc1450 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 1024 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 1024 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 1024 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst index 864cd1438..2e02c8a38 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 1536) - (sz 1568) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -69,75 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 1536) - (sz 1568) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) - (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1600) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 4) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1536) + (sz 1568) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -186,3 +132,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti index 6370203e4..cdc592c3c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (requires + forall (i: nat). + i < 4 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,10 +47,11 @@ val key_pair_serialized_private_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key +val key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (requires forall (i: nat). @@ -46,11 +63,10 @@ val key_pair_serialized_public_key (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key_mut +val key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (requires forall (i: nat). @@ -61,75 +77,6 @@ val key_pair_serialized_public_key_mut i)) (fun _ -> Prims.l_True) -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (requires - forall (i: nat). - i < 4 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 1024 (unpacked) -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: -/// -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 1024 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -169,3 +116,56 @@ val unpacked_public_key Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index c093cfc37..0ae4b3bc5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -18,20 +18,11 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK (sz 3168) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) - (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) - (sz 1600) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) - (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair (sz 4) @@ -43,8 +34,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) + (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) + (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) + (sz 1600) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index cb06fc90f..4ff77198c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 1024 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 1024 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 1024 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst index 69f4ab0fc..4d0f9a927 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst @@ -9,43 +9,43 @@ let _ = let open Rand_core in () -let encapsulate +let generate_key_pair (#impl_277843321_: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (rng: impl_277843321_) = - let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness in let rng:impl_277843321_ = tmp0 in - let randomness:t_Array u8 (sz 32) = tmp1 in + let randomness:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = + Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness in rng, hax_temp_output <: - (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) -let generate_key_pair +let encapsulate (#impl_277843321_: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (rng: impl_277843321_) = - let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness in let rng:impl_277843321_ = tmp0 in - let randomness:t_Array u8 (sz 64) = tmp1 in + let randomness:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = - Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness in rng, hax_temp_output <: - (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti index b2175b095..e05ca0a8f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti @@ -9,31 +9,31 @@ let _ = let open Rand_core in () -/// Encapsulate ML-KEM 1024 -/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an [`MlKem1024PublicKey`]. +/// Generate ML-KEM 1024 Key Pair /// The random number generator `rng` needs to implement `RngCore` and /// `CryptoRng` to sample the required randomness internally. -val encapsulate +/// This function returns an [`MlKem1024KeyPair`]. +val generate_key_pair (#impl_277843321_: Type0) {| i1: Rand_core.t_RngCore impl_277843321_ |} {| i2: Rand_core.t_CryptoRng impl_277843321_ |} - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (rng: impl_277843321_) - : Prims.Pure - (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 1024 Key Pair +/// Encapsulate ML-KEM 1024 +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem1024PublicKey`]. /// The random number generator `rng` needs to implement `RngCore` and /// `CryptoRng` to sample the required randomness internally. -/// This function returns an [`MlKem1024KeyPair`]. -val generate_key_pair +val encapsulate (#impl_277843321_: Type0) {| i1: Rand_core.t_RngCore impl_277843321_ |} {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (rng: impl_277843321_) - : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index c296a0efc..1302d2dc3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -19,14 +19,16 @@ let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 (sz 1568) public_key.Libcrux_ml_kem.Types.f_value -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) - private_key ciphertext +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -42,16 +44,14 @@ let encapsulate let _:Prims.unit = admit () (* Panic freedom *) in result -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + let result:t_Array u8 (sz 32) = + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) + private_key ciphertext in let _:Prims.unit = admit () (* Panic freedom *) in result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index 007e5c86f..0cc755032 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -3,23 +3,8 @@ module Libcrux_ml_kem.Mlkem1024 open Core open FStar.Mul -let v_ETA1: usize = sz 2 - -let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 - -let v_ETA2: usize = sz 2 - -let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 - let v_RANK_1024_: usize = sz 4 -let v_CPA_PKE_SECRET_KEY_SIZE_1024_: usize = - ((v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! - Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT - <: - usize) /! - sz 8 - let v_RANKED_BYTES_PER_RING_ELEMENT_1024_: usize = (v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 @@ -30,15 +15,6 @@ let v_T_AS_NTT_ENCODED_SIZE_1024_: usize = usize) /! sz 8 -let v_CPA_PKE_PUBLIC_KEY_SIZE_1024_: usize = v_T_AS_NTT_ENCODED_SIZE_1024_ +! sz 32 - -let v_SECRET_KEY_SIZE_1024_: usize = - ((v_CPA_PKE_SECRET_KEY_SIZE_1024_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_1024_ <: usize) +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE - <: - usize) +! - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - let v_VECTOR_U_COMPRESSION_FACTOR_1024_: usize = sz 11 let v_C1_BLOCK_SIZE_1024_: usize = @@ -57,8 +33,32 @@ let v_C2_SIZE_1024_: usize = usize) /! sz 8 +let v_CPA_PKE_SECRET_KEY_SIZE_1024_: usize = + ((v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 + +let v_CPA_PKE_PUBLIC_KEY_SIZE_1024_: usize = v_T_AS_NTT_ENCODED_SIZE_1024_ +! sz 32 + let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_ +let v_SECRET_KEY_SIZE_1024_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_1024_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_1024_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + +let v_ETA1: usize = sz 2 + +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 + +let v_ETA2: usize = sz 2 + +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 + let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -74,21 +74,20 @@ val validate_private_key val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 1024 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) +/// Generate ML-KEM 1024 Key Pair +/// Generate an ML-KEM key pair. The input is a byte array of size +/// [`KEY_GENERATION_SEED_SIZE`]. +/// This function returns an [`MlKem1024KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (ensures fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value + let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in + let (secret_key, public_key), valid = + Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness in - valid ==> res == shared_secret) + valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -108,17 +107,18 @@ val encapsulate let res_ciphertext, res_shared_secret = res in valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) -/// Generate ML-KEM 1024 Key Pair -/// Generate an ML-KEM key pair. The input is a byte array of size -/// [`KEY_GENERATION_SEED_SIZE`]. -/// This function returns an [`MlKem1024KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) +/// Decapsulate ML-KEM 1024 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (ensures fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness + let res:t_Array u8 (sz 32) = res in + let shared_secret, valid = + Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + valid ==> res == shared_secret) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst index c02a6e7aa..56f81300d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 768) + (sz 800) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 768) - (sz 800) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -69,74 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 768) - (sz 800) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 768) + (sz 800) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -185,3 +132,56 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti index 21aeb9213..e0f0c18dd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (requires + forall (i: nat). + i < 2 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,10 +47,11 @@ val key_pair_serialized_private_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key +val key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (requires forall (i: nat). @@ -46,11 +63,10 @@ val key_pair_serialized_public_key (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key_mut +val key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (requires forall (i: nat). @@ -61,69 +77,6 @@ val key_pair_serialized_public_key_mut i)) (fun _ -> Prims.l_True) -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (requires - forall (i: nat). - i < 2 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -155,3 +108,50 @@ val unpacked_public_key : Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index 81867e6a4..ca835c79c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -16,20 +16,11 @@ let validate_private_key let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) = Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 2) (sz 1632) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) - private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair (sz 2) @@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 192) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) + private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index b138131fe..5a5692d46 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 512 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 512 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 512 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst index dc2ec0335..392d2f1b8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 768) + (sz 800) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 768) - (sz 800) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -69,74 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 768) - (sz 800) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 768) + (sz 800) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -185,3 +132,56 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti index d6eab98a0..12f4077e1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (requires + forall (i: nat). + i < 2 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,10 +47,11 @@ val key_pair_serialized_private_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key +val key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (requires forall (i: nat). @@ -46,11 +63,10 @@ val key_pair_serialized_public_key (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key_mut +val key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (requires forall (i: nat). @@ -61,73 +77,6 @@ val key_pair_serialized_public_key_mut i)) (fun _ -> Prims.l_True) -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (requires - forall (i: nat). - i < 2 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -167,3 +116,54 @@ val unpacked_public_key Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 077af75fe..a7cec1a50 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -16,20 +16,11 @@ let validate_private_key let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) = Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 2) (sz 1632) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) - private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair (sz 2) @@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 192) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) + private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 6886ec966..03a77c71b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 512 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 512 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 512 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst index 858d9359a..e53bcbb75 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 768) + (sz 800) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 768) - (sz 800) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -69,75 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 768) - (sz 800) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) - (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) - (sz 128) (sz 800) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 2) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 768) + (sz 800) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -186,3 +132,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) + (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) + (sz 128) (sz 800) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti index 7f06b0b9c..456abf8c1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (requires + forall (i: nat). + i < 2 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,10 +47,11 @@ val key_pair_serialized_private_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key +val key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (requires forall (i: nat). @@ -46,11 +63,10 @@ val key_pair_serialized_public_key (fun _ -> Prims.l_True) /// Get the serialized public key. -val key_pair_serialized_public_key_mut +val key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (requires forall (i: nat). @@ -61,73 +77,6 @@ val key_pair_serialized_public_key_mut i)) (fun _ -> Prims.l_True) -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (requires - forall (i: nat). - i < 2 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 512 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] -/// and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 512 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -167,3 +116,54 @@ val unpacked_public_key Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index 4c6c96ff8..0766b5a3e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -18,20 +18,11 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK (sz 1632) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) - (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) - (sz 800) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair (sz 2) @@ -43,8 +34,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 192) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index 64d59c955..771446b3d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 512 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 512 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 512 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst index adca30249..e739bdfa0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst @@ -9,41 +9,41 @@ let _ = let open Rand_core in () -let encapsulate +let generate_key_pair (#impl_277843321_: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (rng: impl_277843321_) = - let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness in let rng:impl_277843321_ = tmp0 in - let randomness:t_Array u8 (sz 32) = tmp1 in + let randomness:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = + Libcrux_ml_kem.Mlkem512.generate_key_pair randomness in - rng, hax_temp_output - <: - (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) -let generate_key_pair +let encapsulate (#impl_277843321_: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (rng: impl_277843321_) = - let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness in let rng:impl_277843321_ = tmp0 in - let randomness:t_Array u8 (sz 64) = tmp1 in + let randomness:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = - Libcrux_ml_kem.Mlkem512.generate_key_pair randomness + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness in - rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti index 31ef494ee..16f8cd014 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti @@ -9,31 +9,31 @@ let _ = let open Rand_core in () -/// Encapsulate ML-KEM 512 -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an [`MlKem512PublicKey`]. +/// Generate ML-KEM 512 Key Pair /// The random number generator `rng` needs to implement `RngCore` and /// `CryptoRng` to sample the required randomness internally. -val encapsulate +/// This function returns an [`MlKem512KeyPair`]. +val generate_key_pair (#impl_277843321_: Type0) {| i1: Rand_core.t_RngCore impl_277843321_ |} {| i2: Rand_core.t_CryptoRng impl_277843321_ |} - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (rng: impl_277843321_) - : Prims.Pure - (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 512 Key Pair +/// Encapsulate ML-KEM 512 +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem512PublicKey`]. /// The random number generator `rng` needs to implement `RngCore` and /// `CryptoRng` to sample the required randomness internally. -/// This function returns an [`MlKem512KeyPair`]. -val generate_key_pair +val encapsulate (#impl_277843321_: Type0) {| i1: Rand_core.t_RngCore impl_277843321_ |} {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (rng: impl_277843321_) - : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index ec76cf211..2bdf3e9c8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -19,14 +19,16 @@ let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8 (sz 800) public_key.Libcrux_ml_kem.Types.f_value -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) - private_key ciphertext +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -42,16 +44,14 @@ let encapsulate let _:Prims.unit = admit () (* Panic freedom *) in result -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + let result:t_Array u8 (sz 32) = + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) + private_key ciphertext in let _:Prims.unit = admit () (* Panic freedom *) in result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index 94590e2ee..356637928 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -3,23 +3,8 @@ module Libcrux_ml_kem.Mlkem512 open Core open FStar.Mul -let v_ETA1: usize = sz 3 - -let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 - -let v_ETA2: usize = sz 2 - -let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 - let v_RANK_512_: usize = sz 2 -let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = - ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! - Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT - <: - usize) /! - sz 8 - let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = (v_RANK_512_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 @@ -30,15 +15,6 @@ let v_T_AS_NTT_ENCODED_SIZE_512_: usize = usize) /! sz 8 -let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32 - -let v_SECRET_KEY_SIZE_512_: usize = - ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE - <: - usize) +! - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 let v_C1_BLOCK_SIZE_512_: usize = @@ -57,8 +33,32 @@ let v_C2_SIZE_512_: usize = usize) /! sz 8 +let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 + +let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32 + let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_ +let v_SECRET_KEY_SIZE_512_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + +let v_ETA1: usize = sz 3 + +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 + +let v_ETA2: usize = sz 2 + +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 + let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -74,21 +74,20 @@ val validate_private_key val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 512 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) +/// Generate ML-KEM 512 Key Pair +/// The input is a byte array of size +/// [`KEY_GENERATION_SEED_SIZE`]. +/// This function returns an [`MlKem512KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (ensures fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value + let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in + let (secret_key, public_key), valid = + Spec.MLKEM.Instances.mlkem512_generate_keypair randomness in - valid ==> res == shared_secret) + valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -108,17 +107,18 @@ val encapsulate let res_ciphertext, res_shared_secret = res in valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) -/// Generate ML-KEM 512 Key Pair -/// The input is a byte array of size -/// [`KEY_GENERATION_SEED_SIZE`]. -/// This function returns an [`MlKem512KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) +/// Decapsulate ML-KEM 512 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (ensures fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem512_generate_keypair randomness + let res:t_Array u8 (sz 32) = res in + let shared_secret, valid = + Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + valid ==> res == shared_secret) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst index 26a1de1e8..e0f29bb38 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -42,17 +58,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 1152) - (sz 1184) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -69,75 +74,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 1152) - (sz 1184) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -208,3 +154,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti index 26bf0ffd6..7a3e4da0f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti @@ -11,6 +11,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (requires + forall (i: nat). + i < 3 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -30,21 +46,6 @@ val key_pair_serialized_private_key_mut Prims.l_True (fun _ -> Prims.l_True) -/// Get the serialized public key. -val key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (requires - forall (i: nat). - i < 3 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - /// Get the serialized public key. val key_pair_serialized_public_key_mut (key_pair: @@ -63,68 +64,20 @@ val key_pair_serialized_public_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (requires forall (i: nat). i < 3 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key .f_ind_cpa_public_key .f_t_as_ntt i)) (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form. -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -168,3 +121,50 @@ val unpacked_public_key : Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index ec517abff..7163c6e35 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -16,20 +16,11 @@ let validate_private_key let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) = Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 3) (sz 2400) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) - (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) - (sz 1120) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) - (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair (sz 3) @@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) + (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) + (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) + (sz 1120) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index 32d3615e9..db0bbefa8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 768 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 768 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst index 3a57c5f0b..ebdf7f027 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst @@ -12,6 +12,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -43,17 +59,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 1152) - (sz 1184) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -70,75 +75,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 1152) - (sz 1184) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -209,3 +155,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti index 3fbc5e15c..11ef2bfb0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti @@ -12,6 +12,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (requires + forall (i: nat). + i < 3 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,21 +47,6 @@ val key_pair_serialized_private_key_mut Prims.l_True (fun _ -> Prims.l_True) -/// Get the serialized public key. -val key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (requires - forall (i: nat). - i < 3 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - /// Get the serialized public key. val key_pair_serialized_public_key_mut (key_pair: @@ -64,72 +65,20 @@ val key_pair_serialized_public_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (requires forall (i: nat). i < 3 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key .f_ind_cpa_public_key .f_t_as_ntt i)) (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form. -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -183,3 +132,54 @@ val unpacked_public_key Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index d6ffc47a4..9eb852aea 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -16,20 +16,11 @@ let validate_private_key let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) = Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 3) (sz 2400) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) - (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) - (sz 1120) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) - (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair (sz 3) @@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) + (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) + (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) + (sz 1120) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index 00fc18c11..becd85b03 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 768 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 768 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst index 02504bb00..49edec23c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst @@ -12,6 +12,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + let key_pair_serialized_private_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -43,17 +59,6 @@ let key_pair_serialized_private_key_mut in serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 1152) - (sz 1184) - key_pair - let key_pair_serialized_public_key_mut (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -70,75 +75,16 @@ let key_pair_serialized_public_key_mut in serialized -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 1152) - (sz 1184) - public_key - serialized - in - serialized - -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext - -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness - key_pair - in - key_pair - -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - () - in - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - generate_key_pair_mut randomness key_pair - in - key_pair + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + key_pair let init_key_pair (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) @@ -209,3 +155,57 @@ let unpacked_public_key unpacked_public_key in unpacked_public_key + +let generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + in + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + generate_key_pair_mut randomness key_pair + in + key_pair + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti index e4f2a98e1..7000bcd51 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti @@ -12,6 +12,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (requires + forall (i: nat). + i < 3 ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + .f_ind_cpa_public_key + .f_t_as_ntt + i)) + (fun _ -> Prims.l_True) + /// Get the serialized private key. val key_pair_serialized_private_key (key_pair: @@ -31,21 +47,6 @@ val key_pair_serialized_private_key_mut Prims.l_True (fun _ -> Prims.l_True) -/// Get the serialized public key. -val key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (requires - forall (i: nat). - i < 3 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key - .f_ind_cpa_public_key - .f_t_as_ntt - i)) - (fun _ -> Prims.l_True) - /// Get the serialized public key. val key_pair_serialized_public_key_mut (key_pair: @@ -64,72 +65,20 @@ val key_pair_serialized_public_key_mut (fun _ -> Prims.l_True) /// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (requires forall (i: nat). i < 3 ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key .f_ind_cpa_public_key .f_t_as_ntt i)) (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] -/// and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form. -val generate_key_pair_mut - (randomness: t_Array u8 (sz 64)) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate ML-KEM 768 Key Pair in "unpacked" form. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Create a new, empty unpacked key. val init_key_pair: Prims.unit -> Prims.Pure @@ -183,3 +132,54 @@ val unpacked_public_key Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair_mut + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index ef78b1c7e..6e1b7d300 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -18,20 +18,11 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK (sz 2400) private_key -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) - (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) - (sz 1120) private_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) - (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair (sz 3) @@ -43,8 +34,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 128) randomness -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) + (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) + (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) + (sz 1120) private_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index d503ab893..9868790a1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -15,13 +15,16 @@ val validate_private_key val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -34,13 +37,10 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 768 Key Pair -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Decapsulate ML-KEM 768 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst index 80ac366d4..e5bea331d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst @@ -9,43 +9,43 @@ let _ = let open Rand_core in () -let encapsulate +let generate_key_pair (#impl_277843321_: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (rng: impl_277843321_) = - let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness in let rng:impl_277843321_ = tmp0 in - let randomness:t_Array u8 (sz 32) = tmp1 in + let randomness:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = + Libcrux_ml_kem.Mlkem768.generate_key_pair randomness in rng, hax_temp_output <: - (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) -let generate_key_pair +let encapsulate (#impl_277843321_: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (rng: impl_277843321_) = - let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness in let rng:impl_277843321_ = tmp0 in - let randomness:t_Array u8 (sz 64) = tmp1 in + let randomness:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = - Libcrux_ml_kem.Mlkem768.generate_key_pair randomness + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness in rng, hax_temp_output <: - (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti index fb034e0f5..a9bea6f7d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti @@ -9,31 +9,31 @@ let _ = let open Rand_core in () -/// Encapsulate ML-KEM 768 -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an [`MlKem768PublicKey`]. +/// Generate ML-KEM 768 Key Pair /// The random number generator `rng` needs to implement `RngCore` and /// `CryptoRng` to sample the required randomness internally. -val encapsulate +/// This function returns an [`MlKem768KeyPair`]. +val generate_key_pair (#impl_277843321_: Type0) {| i1: Rand_core.t_RngCore impl_277843321_ |} {| i2: Rand_core.t_CryptoRng impl_277843321_ |} - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (rng: impl_277843321_) - : Prims.Pure - (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) -/// Generate ML-KEM 768 Key Pair +/// Encapsulate ML-KEM 768 +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem768PublicKey`]. /// The random number generator `rng` needs to implement `RngCore` and /// `CryptoRng` to sample the required randomness internally. -/// This function returns an [`MlKem768KeyPair`]. -val generate_key_pair +val encapsulate (#impl_277843321_: Type0) {| i1: Rand_core.t_RngCore impl_277843321_ |} {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (rng: impl_277843321_) - : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 7a9f4607c..c5a5f1ff0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -19,14 +19,16 @@ let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 (sz 1184) public_key.Libcrux_ml_kem.Types.f_value -let decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) - private_key ciphertext +let generate_key_pair (randomness: t_Array u8 (sz 64)) = + let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -42,16 +44,14 @@ let encapsulate let _:Prims.unit = admit () (* Panic freedom *) in result -let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness +let decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + let result:t_Array u8 (sz 32) = + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) + private_key ciphertext in let _:Prims.unit = admit () (* Panic freedom *) in result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index d1d7c217f..6463d3e48 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -3,23 +3,8 @@ module Libcrux_ml_kem.Mlkem768 open Core open FStar.Mul -let v_ETA1: usize = sz 2 - -let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 - -let v_ETA2: usize = sz 2 - -let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 - let v_RANK_768_: usize = sz 3 -let v_CPA_PKE_SECRET_KEY_SIZE_768_: usize = - ((v_RANK_768_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! - Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT - <: - usize) /! - sz 8 - let v_RANKED_BYTES_PER_RING_ELEMENT_768_: usize = (v_RANK_768_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 @@ -30,15 +15,6 @@ let v_T_AS_NTT_ENCODED_SIZE_768_: usize = usize) /! sz 8 -let v_CPA_PKE_PUBLIC_KEY_SIZE_768_: usize = v_T_AS_NTT_ENCODED_SIZE_768_ +! sz 32 - -let v_SECRET_KEY_SIZE_768_: usize = - ((v_CPA_PKE_SECRET_KEY_SIZE_768_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_768_ <: usize) +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE - <: - usize) +! - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - let v_VECTOR_U_COMPRESSION_FACTOR_768_: usize = sz 10 let v_C1_BLOCK_SIZE_768_: usize = @@ -57,8 +33,32 @@ let v_C2_SIZE_768_: usize = usize) /! sz 8 +let v_CPA_PKE_SECRET_KEY_SIZE_768_: usize = + ((v_RANK_768_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 + +let v_CPA_PKE_PUBLIC_KEY_SIZE_768_: usize = v_T_AS_NTT_ENCODED_SIZE_768_ +! sz 32 + let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_ +let v_SECRET_KEY_SIZE_768_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_768_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_768_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + +let v_ETA1: usize = sz 2 + +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 + +let v_ETA2: usize = sz 2 + +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 + let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -74,21 +74,20 @@ val validate_private_key val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Decapsulate ML-KEM 768 -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. -val decapsulate - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) +/// Generate ML-KEM 768 Key Pair +/// Generate an ML-KEM key pair. The input is a byte array of size +/// [`KEY_GENERATION_SEED_SIZE`]. +/// This function returns an [`MlKem768KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (ensures fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value + let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in + let (secret_key, public_key), valid = + Spec.MLKEM.Instances.mlkem768_generate_keypair randomness in - valid ==> res == shared_secret) + valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -108,17 +107,18 @@ val encapsulate let res_ciphertext, res_shared_secret = res in valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) -/// Generate ML-KEM 768 Key Pair -/// Generate an ML-KEM key pair. The input is a byte array of size -/// [`KEY_GENERATION_SEED_SIZE`]. -/// This function returns an [`MlKem768KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) +/// Decapsulate ML-KEM 768 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (ensures fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem768_generate_keypair randomness + let res:t_Array u8 (sz 32) = res in + let shared_secret, valid = + Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + valid ==> res == shared_secret) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index c9cb3fbc7..5fc216b49 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -9,23 +9,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let ntt_layer_int_vec_step - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (a b: v_Vector) - (zeta_r: i16) - = - let t:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector b zeta_r in - let b:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve a t - in - let a:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a t - in - a, b <: (v_Vector & v_Vector) - #push-options "--z3rlimit 200 --ext context_pruning" let ntt_at_layer_1_ @@ -265,6 +248,97 @@ let ntt_at_layer_3_ #push-options "--admit_smt_queries true" +let ntt_at_layer_7_ + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in + let _:Prims.unit = assert (v step == 8) in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + step + (fun re j -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let j:usize = j in + (v j < 8 ==> + (forall (i: nat). + (i >= v j /\ i < 8) ==> + ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))) + re + (fun re j -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let j:usize = j in + let _:Prims.unit = reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #v_Vector) in + let t:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant #v_Vector + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step <: usize ] <: v_Vector) + (-1600s) + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + (j +! step <: usize) + (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] <: v_Vector) + t + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + j + (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] <: v_Vector) + t + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) + in + re + +#pop-options + +let ntt_layer_int_vec_step + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (a b: v_Vector) + (zeta_r: i16) + = + let t:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector b zeta_r in + let b:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve a t + in + let a:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a t + in + a, b <: (v_Vector & v_Vector) + +#push-options "--admit_smt_queries true" + let ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -348,80 +422,6 @@ let ntt_at_layer_4_plus #pop-options -#push-options "--admit_smt_queries true" - -let ntt_at_layer_7_ - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - = - let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in - let _:Prims.unit = assert (v step == 8) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - step - (fun re j -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let j:usize = j in - (v j < 8 ==> - (forall (i: nat). - (i >= v j /\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))) - re - (fun re j -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let j:usize = j in - let _:Prims.unit = reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #v_Vector) in - let t:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant #v_Vector - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step <: usize ] <: v_Vector) - (-1600s) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - (j +! step <: usize) - (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] <: v_Vector) - t - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - j - (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] <: v_Vector) - t - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - re) - in - re - -#pop-options - #push-options "--z3rlimit 200" let ntt_binomially_sampled_ring_element diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti index 7f10c45bd..d2f05ff5b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti @@ -9,27 +9,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -val ntt_layer_int_vec_step - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a b: v_Vector) - (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))) - (fun _ -> Prims.l_True) - [@@ "opaque_to_smt"] let ntt_re_range_1 (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -106,27 +85,6 @@ val ntt_at_layer_3_ in ntt_re_range_3 re_future /\ v zeta_i_future == 31) -val ntt_at_layer_4_plus - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (layer v__initial_coefficient_bound: usize) - : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - v layer >= 4 /\ v layer <= 7 /\ - ((v layer == 4 ==> v zeta_i == 7) /\ (v layer == 5 ==> v zeta_i == 3) /\ - (v layer == 6 ==> v zeta_i == 1) /\ (v layer == 7 ==> v zeta_i == 0))) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_4 re_future /\ (v layer == 4 ==> v zeta_i_future == 15) /\ - (v layer == 5 ==> v zeta_i_future == 7) /\ (v layer == 6 ==> v zeta_i_future == 3) /\ - (v layer == 7 ==> v zeta_i_future == 1)) - [@@ "opaque_to_smt"] let ntt_layer_7_pre (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -155,6 +113,48 @@ val ntt_at_layer_7_ ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])) (fun _ -> Prims.l_True) +val ntt_layer_int_vec_step + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a b: v_Vector) + (zeta_r: i16) + : Prims.Pure (v_Vector & v_Vector) + (requires + Spec.Utils.is_i16b 1664 zeta_r /\ + (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in + (forall i. + i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) - + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ + (forall i. + i < 16 ==> + Spec.Utils.is_intb (pow2 15 - 1) + (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))) + (fun _ -> Prims.l_True) + +val ntt_at_layer_4_plus + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (layer v__initial_coefficient_bound: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires + v layer >= 4 /\ v layer <= 7 /\ + ((v layer == 4 ==> v zeta_i == 7) /\ (v layer == 5 ==> v zeta_i == 3) /\ + (v layer == 6 ==> v zeta_i == 1) /\ (v layer == 7 ==> v zeta_i == 0))) + (ensures + fun temp_0_ -> + let zeta_i_future, re_future:(usize & + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_0_ + in + ntt_re_range_4 re_future /\ (v layer == 4 ==> v zeta_i_future == 15) /\ + (v layer == 5 ==> v zeta_i_future == 7) /\ (v layer == 6 ==> v zeta_i_future == 3) /\ + (v layer == 7 ==> v zeta_i_future == 1)) + val ntt_binomially_sampled_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 98121e9f7..73cfc23ac 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -46,14 +46,122 @@ let impl_1 Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) = impl_1' #v_Vector #i1 #i2 +let v_ZERO + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (_: Prims.unit) + = + { + f_coefficients + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector + #FStar.Tactics.Typeclasses.solve + () + <: + v_Vector) + (sz 16) + } + <: + t_PolynomialRingElement v_Vector + +let from_i16_array + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (a: t_Slice i16) + = + let result:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in + let result:t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_VECTORS_IN_RING_ELEMENT + (fun result temp_1_ -> + let result:t_PolynomialRingElement v_Vector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_PolynomialRingElement v_Vector = result in + let i:usize = i in + { + result with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_from_i16_array #v_Vector + #FStar.Tactics.Typeclasses.solve + (a.[ { + Core.Ops.Range.f_start = i *! sz 16 <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! sz 16 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + <: + v_Vector) + <: + t_Array v_Vector (sz 16) + } + <: + t_PolynomialRingElement v_Vector) + in + result + #push-options "--admit_smt_queries true" -let add_error_reduce +let add_to_ring_element (#v_Vector: Type0) + (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (myself error: t_PolynomialRingElement v_Vector) + (myself rhs: t_PolynomialRingElement v_Vector) + = + let myself:t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_Vector (myself.f_coefficients <: t_Slice v_Vector) <: usize) + (fun myself temp_1_ -> + let myself:t_PolynomialRingElement v_Vector = myself in + let _:usize = temp_1_ in + true) + myself + (fun myself i -> + let myself:t_PolynomialRingElement v_Vector = myself in + let i:usize = i in + { + myself with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector + #FStar.Tactics.Typeclasses.solve + (myself.f_coefficients.[ i ] <: v_Vector) + (rhs.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + <: + t_Array v_Vector (sz 16) + } + <: + t_PolynomialRingElement v_Vector) + in + myself + +#pop-options + +#push-options "--admit_smt_queries true" + +let poly_barrett_reduce + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (myself: t_PolynomialRingElement v_Vector) = let myself:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -63,28 +171,69 @@ let add_error_reduce let _:usize = temp_1_ in true) myself - (fun myself j -> + (fun myself i -> let myself:t_PolynomialRingElement v_Vector = myself in - let j:usize = j in + let i:usize = i in + { + myself with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + #FStar.Tactics.Typeclasses.solve + (myself.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + <: + t_Array v_Vector (sz 16) + } + <: + t_PolynomialRingElement v_Vector) + in + myself + +#pop-options + +#push-options "--admit_smt_queries true" + +let subtract_reduce + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (myself b: t_PolynomialRingElement v_Vector) + = + let b:t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_VECTORS_IN_RING_ELEMENT + (fun b temp_1_ -> + let b:t_PolynomialRingElement v_Vector = b in + let _:usize = temp_1_ in + true) + b + (fun b i -> + let b:t_PolynomialRingElement v_Vector = b in + let i:usize = i in let coefficient_normal_form:v_Vector = Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector #FStar.Tactics.Typeclasses.solve - (myself.f_coefficients.[ j ] <: v_Vector) + (b.f_coefficients.[ i ] <: v_Vector) 1441s in - let myself:t_PolynomialRingElement v_Vector = + let b:t_PolynomialRingElement v_Vector = { - myself with + b with f_coefficients = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients - j + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients + i (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve + (myself.f_coefficients.[ i ] <: v_Vector) coefficient_normal_form - (error.f_coefficients.[ j ] <: v_Vector) <: v_Vector) <: @@ -93,22 +242,12 @@ let add_error_reduce <: t_PolynomialRingElement v_Vector in - myself) + b) in - myself + b #pop-options -let impl_2__add_error_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self error: t_PolynomialRingElement v_Vector) - = - let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in - self - #push-options "--admit_smt_queries true" let add_message_error_reduce @@ -169,17 +308,9 @@ let add_message_error_reduce #pop-options -let impl_2__add_message_error_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self message result: t_PolynomialRingElement v_Vector) - = add_message_error_reduce #v_Vector self message result - #push-options "--admit_smt_queries true" -let add_standard_error_reduce +let add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -198,8 +329,10 @@ let add_standard_error_reduce let myself:t_PolynomialRingElement v_Vector = myself in let j:usize = j in let coefficient_normal_form:v_Vector = - Libcrux_ml_kem.Vector.Traits.to_standard_domain #v_Vector + Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector + #FStar.Tactics.Typeclasses.solve (myself.f_coefficients.[ j ] <: v_Vector) + 1441s in let myself:t_PolynomialRingElement v_Vector = { @@ -228,45 +361,41 @@ let add_standard_error_reduce #pop-options -let impl_2__add_standard_error_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self error: t_PolynomialRingElement v_Vector) - = - let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in - self - #push-options "--admit_smt_queries true" -let poly_barrett_reduce +let ntt_multiply (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (myself: t_PolynomialRingElement v_Vector) + (myself rhs: t_PolynomialRingElement v_Vector) = - let myself:t_PolynomialRingElement v_Vector = + let out:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in + let out:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT - (fun myself temp_1_ -> - let myself:t_PolynomialRingElement v_Vector = myself in + (fun out temp_1_ -> + let out:t_PolynomialRingElement v_Vector = out in let _:usize = temp_1_ in true) - myself - (fun myself i -> - let myself:t_PolynomialRingElement v_Vector = myself in + out + (fun out i -> + let out:t_PolynomialRingElement v_Vector = out in let i:usize = i in { - myself with + out with f_coefficients = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_ntt_multiply #v_Vector #FStar.Tactics.Typeclasses.solve (myself.f_coefficients.[ i ] <: v_Vector) + (rhs.f_coefficients.[ i ] <: v_Vector) + (zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16) + (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16) + (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 <: usize) <: i16) + (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize) <: i16) <: v_Vector) <: @@ -275,81 +404,10 @@ let poly_barrett_reduce <: t_PolynomialRingElement v_Vector) in - myself - -#pop-options - -let impl_2__poly_barrett_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_PolynomialRingElement v_Vector) - = - let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in - self - -#push-options "--admit_smt_queries true" - -let subtract_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (myself b: t_PolynomialRingElement v_Vector) - = - let b:t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT - (fun b temp_1_ -> - let b:t_PolynomialRingElement v_Vector = b in - let _:usize = temp_1_ in - true) - b - (fun b i -> - let b:t_PolynomialRingElement v_Vector = b in - let i:usize = i in - let coefficient_normal_form:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector - #FStar.Tactics.Typeclasses.solve - (b.f_coefficients.[ i ] <: v_Vector) - 1441s - in - let b:t_PolynomialRingElement v_Vector = - { - b with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector - #FStar.Tactics.Typeclasses.solve - (myself.f_coefficients.[ i ] <: v_Vector) - coefficient_normal_form - <: - v_Vector) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - b) - in - b + out #pop-options -let impl_2__subtract_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self b: t_PolynomialRingElement v_Vector) - = subtract_reduce #v_Vector self b - let impl_2__ZERO (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -370,125 +428,52 @@ let impl_2__ZERO <: t_PolynomialRingElement v_Vector -let v_ZERO +let impl_2__add_to_ring_element (#v_Vector: Type0) + (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (_: Prims.unit) + (self rhs: t_PolynomialRingElement v_Vector) = - { - f_coefficients - = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector - #FStar.Tactics.Typeclasses.solve - () - <: - v_Vector) - (sz 16) - } - <: - t_PolynomialRingElement v_Vector + let self:t_PolynomialRingElement v_Vector = add_to_ring_element #v_Vector v_K self rhs in + self -let from_i16_array +let impl_2__poly_barrett_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (a: t_Slice i16) + (self: t_PolynomialRingElement v_Vector) = - let result:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in - let result:t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT - (fun result temp_1_ -> - let result:t_PolynomialRingElement v_Vector = result in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:t_PolynomialRingElement v_Vector = result in - let i:usize = i in - { - result with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_from_i16_array #v_Vector - #FStar.Tactics.Typeclasses.solve - (a.[ { - Core.Ops.Range.f_start = i *! sz 16 <: usize; - Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! sz 16 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - <: - v_Vector) - <: - t_Array v_Vector (sz 16) - } - <: - t_PolynomialRingElement v_Vector) - in - result + let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in + self -let impl_2__from_i16_array +let impl_2__subtract_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (a: t_Slice i16) - = from_i16_array #v_Vector a + (self b: t_PolynomialRingElement v_Vector) + = subtract_reduce #v_Vector self b -#push-options "--admit_smt_queries true" +let impl_2__add_message_error_reduce + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self message result: t_PolynomialRingElement v_Vector) + = add_message_error_reduce #v_Vector self message result -let ntt_multiply +let impl_2__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (myself rhs: t_PolynomialRingElement v_Vector) + (self error: t_PolynomialRingElement v_Vector) = - let out:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in - let out:t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT - (fun out temp_1_ -> - let out:t_PolynomialRingElement v_Vector = out in - let _:usize = temp_1_ in - true) - out - (fun out i -> - let out:t_PolynomialRingElement v_Vector = out in - let i:usize = i in - { - out with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_ntt_multiply #v_Vector - #FStar.Tactics.Typeclasses.solve - (myself.f_coefficients.[ i ] <: v_Vector) - (rhs.f_coefficients.[ i ] <: v_Vector) - (zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16) - (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16) - (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 <: usize) <: i16) - (zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize) <: i16) - <: - v_Vector) - <: - t_Array v_Vector (sz 16) - } - <: - t_PolynomialRingElement v_Vector) - in - out - -#pop-options + let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in + self let impl_2__ntt_multiply (#v_Vector: Type0) @@ -498,56 +483,71 @@ let impl_2__ntt_multiply (self rhs: t_PolynomialRingElement v_Vector) = ntt_multiply #v_Vector self rhs +let impl_2__from_i16_array + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (a: t_Slice i16) + = from_i16_array #v_Vector a + #push-options "--admit_smt_queries true" -let add_to_ring_element +let add_standard_error_reduce (#v_Vector: Type0) - (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (myself rhs: t_PolynomialRingElement v_Vector) + (myself error: t_PolynomialRingElement v_Vector) = let myself:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_Vector (myself.f_coefficients <: t_Slice v_Vector) <: usize) + v_VECTORS_IN_RING_ELEMENT (fun myself temp_1_ -> let myself:t_PolynomialRingElement v_Vector = myself in let _:usize = temp_1_ in true) myself - (fun myself i -> + (fun myself j -> let myself:t_PolynomialRingElement v_Vector = myself in - let i:usize = i in - { - myself with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector - #FStar.Tactics.Typeclasses.solve - (myself.f_coefficients.[ i ] <: v_Vector) - (rhs.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) + let j:usize = j in + let coefficient_normal_form:v_Vector = + Libcrux_ml_kem.Vector.Traits.to_standard_domain #v_Vector + (myself.f_coefficients.[ j ] <: v_Vector) + in + let myself:t_PolynomialRingElement v_Vector = + { + myself with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients + j + (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient_normal_form + (error.f_coefficients.[ j ] <: v_Vector) + <: + v_Vector) + <: + v_Vector) + } <: - t_Array v_Vector (sz 16) - } - <: - t_PolynomialRingElement v_Vector) + t_PolynomialRingElement v_Vector + in + myself) in myself #pop-options -let impl_2__add_to_ring_element +let impl_2__add_standard_error_reduce (#v_Vector: Type0) - (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self rhs: t_PolynomialRingElement v_Vector) + (self error: t_PolynomialRingElement v_Vector) = - let self:t_PolynomialRingElement v_Vector = add_to_ring_element #v_Vector v_K self rhs in + let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in self diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index c64101d1e..3d69e2629 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -76,40 +76,28 @@ val impl_1 {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} : Core.Marker.t_Copy (t_PolynomialRingElement v_Vector) -val add_error_reduce - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (myself error: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val impl_2__add_error_reduce - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self error: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val add_message_error_reduce - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (myself message result: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val impl_2__add_message_error_reduce - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self message result: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) +val v_ZERO: + #v_Vector: Type0 -> + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val add_standard_error_reduce +val from_i16_array (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (myself error: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + (a: t_Slice i16) + : Prims.Pure (t_PolynomialRingElement v_Vector) + (requires + (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) + (fun _ -> Prims.l_True) -val impl_2__add_standard_error_reduce +/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise +/// sum of their constituent coefficients. +val add_to_ring_element (#v_Vector: Type0) + (v_K: usize) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self error: t_PolynomialRingElement v_Vector) + (myself rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) val poly_barrett_reduce @@ -118,53 +106,23 @@ val poly_barrett_reduce (myself: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__poly_barrett_reduce - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - val subtract_reduce (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (myself b: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__subtract_reduce +val add_message_error_reduce (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self b: t_PolynomialRingElement v_Vector) + (myself message result: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__ZERO: - #v_Vector: Type0 -> - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> - Prims.unit - -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val v_ZERO: - #v_Vector: Type0 -> - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> - Prims.unit - -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val from_i16_array - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: t_Slice i16) - : Prims.Pure (t_PolynomialRingElement v_Vector) - (requires - (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) - (fun _ -> Prims.l_True) - -val impl_2__from_i16_array +val add_error_reduce (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: t_Slice i16) - : Prims.Pure (t_PolynomialRingElement v_Vector) - (requires - (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) - (fun _ -> Prims.l_True) + (myself error: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Given two `KyberPolynomialRingElement`s in their NTT representations, /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, @@ -192,26 +150,68 @@ val ntt_multiply (myself rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__ntt_multiply +val impl_2__ZERO: + #v_Vector: Type0 -> + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise +/// sum of their constituent coefficients. +val impl_2__add_to_ring_element (#v_Vector: Type0) + (v_K: usize) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise -/// sum of their constituent coefficients. -val add_to_ring_element +val impl_2__poly_barrett_reduce (#v_Vector: Type0) - (v_K: usize) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (myself rhs: t_PolynomialRingElement v_Vector) + (self: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise -/// sum of their constituent coefficients. -val impl_2__add_to_ring_element +val impl_2__subtract_reduce + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self b: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl_2__add_message_error_reduce + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self message result: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl_2__add_error_reduce + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self error: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl_2__ntt_multiply (#v_Vector: Type0) - (v_K: usize) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl_2__from_i16_array + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a: t_Slice i16) + : Prims.Pure (t_PolynomialRingElement v_Vector) + (requires + (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) + (fun _ -> Prims.l_True) + +val add_standard_error_reduce + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (myself error: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl_2__add_standard_error_reduce + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self error: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index d24b6539c..093ae5792 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -9,15 +9,162 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let to_unsigned_field_modulus +let deserialize_to_uncompressed_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (a: v_Vector) + (serialized: t_Slice u8) = - let _:Prims.unit = reveal_opaque (`%field_modulus_range) (field_modulus_range #v_Vector) in - let result:v_Vector = Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector a in + let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + <: + v_Vector) + <: + t_Array v_Vector (sz 16) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let deserialize_to_reduced_ring_element + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let deserialize_ring_elements_reduced + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + public_key + (fun deserialized_pk temp_1_ -> + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + deserialized_pk + in + let _:usize = temp_1_ in + true) + deserialized_pk + (fun deserialized_pk temp_1_ -> + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + deserialized_pk + in + let i, ring_element:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk + i + (deserialize_to_reduced_ring_element #v_Vector ring_element + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + let result:Prims.unit = () <: Prims.unit in + let _:Prims.unit = admit () (* Panic freedom *) in + let _:Prims.unit = result in + deserialized_pk + +let deserialize_ring_elements_reduced_out + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: t_Slice u8) + = + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk + in + let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialized_pk + in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -127,6 +274,31 @@ let deserialize_then_decompress_11_ #pop-options +let deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let _:Prims.unit = + assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ + (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized + | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let _:Prims.unit = admit () (* Panic freedom *) in + result + let deserialize_then_decompress_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -245,85 +417,6 @@ let deserialize_then_decompress_5_ #pop-options -let deserialize_then_decompress_message - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Array u8 (sz 32)) - = - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 16) - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re i -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i:usize = i in - let coefficient_compressed:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector - #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - re) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized - | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - let deserialize_then_decompress_ring_element_v (v_K v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) @@ -349,162 +442,141 @@ let deserialize_then_decompress_ring_element_v let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_to_reduced_ring_element +let to_unsigned_field_modulus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (a: v_Vector) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - re) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = reveal_opaque (`%field_modulus_range) (field_modulus_range #v_Vector) in + let result:v_Vector = Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector a in let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_ring_elements_reduced - (v_K: usize) +let compress_then_serialize_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: t_Slice u8) - (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - public_key - (fun deserialized_pk temp_1_ -> - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - deserialized_pk + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 16) + (fun serialized i -> + let serialized:t_Array u8 (sz 32) = serialized in + let i:usize = i in + v i < 16 ==> coefficients_field_modulus_range re) + serialized + (fun serialized i -> + let serialized:t_Array u8 (sz 32) = serialized in + let i:usize = i in + let _:Prims.unit = assert (2 * v i + 2 <= 32) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) in - let _:usize = temp_1_ in - true) - deserialized_pk - (fun deserialized_pk temp_1_ -> - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - deserialized_pk + let coefficient:v_Vector = + to_unsigned_field_modulus #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in - let i, ring_element:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk - i - (deserialize_to_reduced_ring_element #v_Vector ring_element - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let _:Prims.unit = result in - deserialized_pk - -let deserialize_ring_elements_reduced_out - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: t_Slice u8) - = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialized_pk + let coefficient_compressed:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + in + let bytes:t_Array u8 (sz 2) = + Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient_compressed + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in + let result:t_Array u8 (sz 32) = serialized in let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_to_uncompressed_ring_element +let serialize_uncompressed_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes + let _:Prims.unit = assert_norm (pow2 12 == 4096) in + let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in + let serialized:t_Array u8 (sz 384) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized i -> + let serialized:t_Array u8 (sz 384) = serialized in + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + serialized + (fun serialized i -> + let serialized:t_Array u8 (sz 384) = serialized in + let i:usize = i in + let _:Prims.unit = assert (24 * v i + 24 <= 384) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in + let coefficient:v_Vector = + to_unsigned_field_modulus #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + in + let bytes:t_Array u8 (sz 24) = + Libcrux_ml_kem.Vector.Traits.f_serialize_12_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + in + let serialized:t_Array u8 (sz 384) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 24 *! i <: usize; + Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize + } <: - v_Vector) - <: - t_Array v_Vector (sz 16) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 24 *! i <: usize; + Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let result:t_Array u8 (sz 384) = serialized in let _:Prims.unit = admit () (* Panic freedom *) in result @@ -638,6 +710,32 @@ let compress_then_serialize_11_ #pop-options +let compress_then_serialize_ring_element_u + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + let _:Prims.unit = + assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ + (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) + in + let result:t_Array u8 v_OUT_LEN = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re + | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let _:Prims.unit = admit () (* Panic freedom *) in + result + let compress_then_serialize_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -770,97 +868,6 @@ let compress_then_serialize_5_ #pop-options -let compress_then_serialize_message - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - = - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 16) - (fun serialized i -> - let serialized:t_Array u8 (sz 32) = serialized in - let i:usize = i in - v i < 16 ==> coefficients_field_modulus_range re) - serialized - (fun serialized i -> - let serialized:t_Array u8 (sz 32) = serialized in - let i:usize = i in - let _:Prims.unit = assert (2 * v i + 2 <= 32) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - in - let coefficient_compressed:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let bytes:t_Array u8 (sz 2) = - Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient_compressed - in - let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) - in - serialized) - in - let result:t_Array u8 (sz 32) = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let compress_then_serialize_ring_element_u - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in - let result:t_Array u8 v_OUT_LEN = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re - | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - let compress_then_serialize_ring_element_v (v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize) (#v_Vector: Type0) @@ -892,63 +899,56 @@ let compress_then_serialize_ring_element_v let _:Prims.unit = result in out -let serialize_uncompressed_ring_element +let deserialize_then_decompress_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Array u8 (sz 32)) = - let _:Prims.unit = assert_norm (pow2 12 == 4096) in - let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in - let serialized:t_Array u8 (sz 384) = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> - let serialized:t_Array u8 (sz 384) = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) - serialized - (fun serialized i -> - let serialized:t_Array u8 (sz 384) = serialized in + (sz 16) + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i:usize = i in - let _:Prims.unit = assert (24 * v i + 24 <= 384) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - in - let bytes:t_Array u8 (sz 24) = - Libcrux_ml_kem.Vector.Traits.f_serialize_12_ #v_Vector + let coefficient_compressed:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector #FStar.Tactics.Typeclasses.solve - coefficient - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 24 *! i <: usize; - Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 24 *! i <: usize; - Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) + (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] <: t_Slice u8) in - serialized) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) in - let result:t_Array u8 (sz 384) = serialized in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let _:Prims.unit = admit () (* Panic freedom *) in result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index ba52b97a2..b912b09e9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -9,6 +9,20 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +val deserialize_to_uncompressed_ring_element + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires + (Core.Slice.impl__len #u8 serialized <: usize) =. + Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) + (ensures + fun result -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == + Spec.MLKEM.byte_decode 12 serialized) + [@@ "opaque_to_smt"] let field_modulus_range (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -23,64 +37,72 @@ let coefficients_field_modulus_range (#v_Vector: Type0) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i) -val to_unsigned_field_modulus - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: v_Vector) - : Prims.Pure v_Vector - (requires field_modulus_range a) - (ensures - fun result -> - let result:v_Vector = result in - forall (i: nat). - i < 16 ==> - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < - v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) - -val deserialize_then_decompress_10_ +/// Only use with public values. +/// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. +val deserialize_to_reduced_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) + (requires + (Core.Slice.impl__len #u8 serialized <: usize) =. + Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) (fun _ -> Prims.l_True) -val deserialize_then_decompress_11_ +/// See [deserialize_ring_elements_reduced_out]. +val deserialize_ring_elements_reduced + (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352) - (fun _ -> Prims.l_True) + (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ + Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + (ensures + fun deserialized_pk_future -> + let deserialized_pk_future:t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialized_pk_future + in + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector deserialized_pk_future == + Spec.MLKEM.vector_decode_12 #v_K public_key) -val deserialize_then_decompress_4_ +/// This function deserializes ring elements and reduces the result by the field +/// modulus. +/// This function MUST NOT be used on secret inputs. +val deserialize_ring_elements_reduced_out + (v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) - (fun _ -> Prims.l_True) + (public_key: t_Slice u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ + Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + (ensures + fun result -> + let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + result + in + forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i)) -val deserialize_then_decompress_5_ +val deserialize_then_decompress_10_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) + (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) (fun _ -> Prims.l_True) -val deserialize_then_decompress_message +val deserialize_then_decompress_11_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Array u8 (sz 32)) + (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - Prims.l_True - (ensures - fun result -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == - Spec.MLKEM.decode_then_decompress_message serialized) + (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352) + (fun _ -> Prims.l_True) val deserialize_then_decompress_ring_element_u (v_COMPRESSION_FACTOR: usize) @@ -97,6 +119,22 @@ val deserialize_then_decompress_ring_element_u Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized) +val deserialize_then_decompress_4_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) + (fun _ -> Prims.l_True) + +val deserialize_then_decompress_5_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) + (fun _ -> Prims.l_True) + val deserialize_then_decompress_ring_element_v (v_K v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) @@ -113,70 +151,45 @@ val deserialize_then_decompress_ring_element_v Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == Spec.MLKEM.decode_then_decompress_v #v_K serialized) -/// Only use with public values. -/// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. -val deserialize_to_reduced_ring_element - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (Core.Slice.impl__len #u8 serialized <: usize) =. - Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) - (fun _ -> Prims.l_True) - -/// See [deserialize_ring_elements_reduced_out]. -val deserialize_ring_elements_reduced - (v_K: usize) +val to_unsigned_field_modulus (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: t_Slice u8) - (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + (a: v_Vector) + : Prims.Pure v_Vector + (requires field_modulus_range a) (ensures - fun deserialized_pk_future -> - let deserialized_pk_future:t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialized_pk_future - in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector deserialized_pk_future == - Spec.MLKEM.vector_decode_12 #v_K public_key) + fun result -> + let result:v_Vector = result in + forall (i: nat). + i < 16 ==> + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < + v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) -/// This function deserializes ring elements and reduces the result by the field -/// modulus. -/// This function MUST NOT be used on secret inputs. -val deserialize_ring_elements_reduced_out - (v_K: usize) +val compress_then_serialize_message (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: t_Slice u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 (sz 32)) + (requires coefficients_field_modulus_range re) (ensures fun result -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result - in - forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i)) + let result:t_Array u8 (sz 32) = result in + result == + Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector + re)) -val deserialize_to_uncompressed_ring_element +val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (Core.Slice.impl__len #u8 serialized <: usize) =. - Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 (sz 384)) + (requires coefficients_field_modulus_range re) (ensures fun result -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == - Spec.MLKEM.byte_decode 12 serialized) + let result:t_Array u8 (sz 384) = result in + result == + Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) val compress_then_serialize_10_ (v_OUT_LEN: usize) @@ -194,6 +207,22 @@ val compress_then_serialize_11_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) +val compress_then_serialize_ring_element_u + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires + (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) + (ensures + fun result -> + let result:t_Array u8 v_OUT_LEN = result in + result == + Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) + (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) + val compress_then_serialize_4_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -218,35 +247,6 @@ val compress_then_serialize_5_ let serialized_future:t_Slice u8 = serialized_future in Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) -val compress_then_serialize_message - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 32)) - (requires coefficients_field_modulus_range re) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == - Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector - re)) - -val compress_then_serialize_ring_element_u - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires - (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ - v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) - (ensures - fun result -> - let result:t_Array u8 v_OUT_LEN = result in - result == - Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR) - (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) - val compress_then_serialize_ring_element_v (v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize) (#v_Vector: Type0) @@ -267,14 +267,14 @@ val compress_then_serialize_ring_element_v Spec.MLKEM.compress_then_encode_v #v_K (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) -val serialize_uncompressed_ring_element +val deserialize_then_decompress_message (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 384)) - (requires coefficients_field_modulus_range re) + (serialized: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True (ensures fun result -> - let result:t_Array u8 (sz 384) = result in - result == - Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == + Spec.MLKEM.decode_then_decompress_message serialized) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 900372fd8..e244f100a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -3,17 +3,39 @@ module Libcrux_ml_kem.Types open Core open FStar.Mul -/// The number of bytes -let impl_6__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE +///An ML-KEM Ciphertext +type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -/// The number of bytes -let impl_13__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE + } -/// The number of bytes -let impl_20__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); + f_as_ref_post + = + (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value); + f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8 + } -///An ML-KEM Ciphertext -type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = + { + f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); + f_from_post + = + (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value); + f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE + } [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = @@ -36,15 +58,8 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = - { - f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); - f_from_post - = - (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value); - f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE - } +/// The number of bytes +let impl_6__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE /// A reference to the raw byte slice. let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) @@ -58,6 +73,37 @@ let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) ///An ML-KEM Private key type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); + f_as_ref_post + = + (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value); + f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = + { + f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); + f_from_post + = + (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value); + f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE + } + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { @@ -79,15 +125,8 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPri f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = - { - f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); - f_from_post - = - (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value); - f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE - } +/// The number of bytes +let impl_13__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE /// A reference to the raw byte slice. let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) @@ -101,6 +140,37 @@ let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) ///An ML-KEM Public key type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); + f_as_ref_post + = + (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value); + f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = + { + f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); + f_from_post + = + (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value); + f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE + } + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { @@ -122,15 +192,8 @@ let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = - { - f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); - f_from_post - = - (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value); - f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE - } +/// The number of bytes +let impl_20__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE /// A reference to the raw byte slice. let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) @@ -147,28 +210,6 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE } -/// Create a new [`MlKemKeyPair`] from the secret and public key. -let impl_21__from - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) - (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in - result.f_sk == sk /\ result.f_pk == pk) = - { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - -/// Separate this key into the public and private key. -let impl_21__into_parts - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = - self.f_sk, self.f_pk - <: - (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - /// Creates a new [`MlKemKeyPair`]. let impl_21__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) @@ -192,11 +233,11 @@ let impl_21__new <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -/// Get a reference to the raw public key bytes. -let impl_21__pk +/// Get a reference to the [`MlKemPublicKey`]. +let impl_21__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : t_Array u8 v_PUBLIC_KEY_SIZE = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk + : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk /// Get a reference to the [`MlKemPrivateKey`]. let impl_21__private_key @@ -204,11 +245,11 @@ let impl_21__private_key (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : t_MlKemPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk -/// Get a reference to the [`MlKemPublicKey`]. -let impl_21__public_key +/// Get a reference to the raw public key bytes. +let impl_21__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk + : t_Array u8 v_PUBLIC_KEY_SIZE = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk /// Get a reference to the raw private key bytes. let impl_21__sk @@ -216,6 +257,28 @@ let impl_21__sk (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : t_Array u8 v_PRIVATE_KEY_SIZE = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk +/// Separate this key into the public and private key. +let impl_21__into_parts + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = + self.f_sk, self.f_pk + <: + (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + +/// Create a new [`MlKemKeyPair`] from the secret and public key. +let impl_21__from + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) + (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Prims.l_True + (ensures + fun result -> + let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in + result.f_sk == sk /\ result.f_pk == pk) = + { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + /// Unpack an incoming private key into it\'s different parts. /// We have this here in types to extract into a common core for C. let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8) @@ -259,69 +322,6 @@ let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private <: (t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); - f_as_ref_post - = - (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value); - f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8 - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); - f_as_ref_post - = - (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value); - f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8 - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); - f_as_ref_post - = - (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value); - f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8 - } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst index 84b152b40..5adcde2f7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst @@ -3,6 +3,48 @@ module Libcrux_ml_kem.Utils open Core open FStar.Mul +let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = + let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let out:t_Array u8 v_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in + let _:Prims.unit = + assert (Seq.slice out (Seq.length slice) (v v_LEN) == + Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN)) + in + let _:Prims.unit = + assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i) + in + let _:Prims.unit = + assert (forall i. + (i >= Seq.length slice && i < v v_LEN) ==> + Seq.index out i == + Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice)) + in + let _:Prims.unit = + Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy)) + in + out + #push-options "--z3rlimit 200" let prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (domain_separator: u8) = @@ -49,45 +91,3 @@ let prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (d prf_inputs, hax_temp_output <: (t_Array (t_Array u8 (sz 33)) v_K & u8) #pop-options - -let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = - let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in - let out:t_Array u8 v_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - slice - <: - t_Slice u8) - in - let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in - let _:Prims.unit = - assert (Seq.slice out (Seq.length slice) (v v_LEN) == - Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN)) - in - let _:Prims.unit = - assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i) - in - let _:Prims.unit = - assert (forall i. - (i >= Seq.length slice && i < v v_LEN) ==> - Seq.index out i == - Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice)) - in - let _:Prims.unit = - Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy)) - in - out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti index 033a1e9d3..67b8e0959 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Utils open Core open FStar.Mul +/// Pad the `slice` with `0`s at the end. +val into_padded_array (v_LEN: usize) (slice: t_Slice u8) + : Prims.Pure (t_Array u8 v_LEN) + (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN) + (ensures + fun result -> + let result:t_Array u8 v_LEN = result in + result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy) + ) + val prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (domain_separator: u8) : Prims.Pure (t_Array (t_Array u8 (sz 33)) v_K & u8) (requires range (v domain_separator + v v_K) u8_inttype) @@ -15,13 +25,3 @@ val prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (d v (Seq.index (Seq.index prf_inputs_future i) 32) == v domain_separator + i /\ Seq.slice (Seq.index prf_inputs_future i) 0 32 == Seq.slice (Seq.index prf_inputs i) 0 32)) - -/// Pad the `slice` with `0`s at the end. -val into_padded_array (v_LEN: usize) (slice: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy) - ) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti index 9f3dc29f3..9737e9b24 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti @@ -9,14 +9,6 @@ let _ = let open Libcrux_ml_kem.Hash_functions in () -/// Implements [`Variant`], to perform the ML-KEM-specific actions -/// during encapsulation and decapsulation. -/// Specifically, -/// * during key generation, the seed hash is domain separated (this is a difference from the FIPS 203 IPD and Kyber) -/// * during encapsulation, the initial randomness is used without prior hashing, -/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext. -type t_MlKem = | MlKem : t_MlKem - /// This trait collects differences in specification between ML-KEM /// (FIPS 203) and the Round 3 CRYSTALS-Kyber submission in the /// NIST PQ competition. @@ -97,5 +89,13 @@ class t_Variant (v_Self: Type0) = { (fun result -> f_cpa_keygen_seed_post v_K #v_Hasher #i3 x0 result) } +/// Implements [`Variant`], to perform the ML-KEM-specific actions +/// during encapsulation and decapsulation. +/// Specifically, +/// * during key generation, the seed hash is domain separated (this is a difference from the FIPS 203 IPD and Kyber) +/// * during encapsulation, the initial randomness is used without prior hashing, +/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext. +type t_MlKem = | MlKem : t_MlKem + [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:t_Variant t_MlKem diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst index a80c67948..94a571aa2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst @@ -19,17 +19,19 @@ let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in result -let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in +let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma + (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) + (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == + (v (get_lane lhs i) - v (get_lane rhs i)))) + [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = () + +let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs in let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) + assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); + assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i)) in result @@ -58,6 +60,20 @@ let multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (con in result +let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = + let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant + in + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv + in + let _:Prims.unit = + Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) + (Spec.Utils.map_array (fun x -> x &. constant) + (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) + in + result + let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector @@ -69,22 +85,48 @@ let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec in result -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = () +#push-options "--z3rlimit 100" -let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + in + let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in + let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus + in + let _:Prims.unit = + assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s) + in + let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus + in + let _:Prims.unit = + assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l)) + in + let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus + in + let _:Prims.unit = + assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s)) + in let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus + conditional_add_field_modulus in let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i)) + assert (forall i. + get_lane result i == + (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i)); + assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i)); + assert (forall i. + get_lane result i == + (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i)) in result +#pop-options + #push-options "--z3rlimit 200" let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = @@ -142,48 +184,6 @@ let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #pop-options -#push-options "--z3rlimit 100" - -let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in - let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus - in - let _:Prims.unit = - assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s) - in - let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus - in - let _:Prims.unit = - assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l)) - in - let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus - in - let _:Prims.unit = - assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus - conditional_add_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == - (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i)); - assert (forall i. - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i)) - in - result - -#pop-options - #push-options "--z3rlimit 100 --ext context_pruning" let montgomery_multiply_by_constant @@ -328,6 +328,42 @@ let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext #pop-options +let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u32) + <: + i32) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + i16) + <: + i32) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec + in + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + in + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result + in + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result + in + let _:Prims.unit = admit () (* Panic freedom *) in + result + #push-options "--z3rlimit 100" let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) = @@ -400,39 +436,3 @@ let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Av result #pop-options - -let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - <: - u32) - <: - i32) - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - <: - i16) - <: - i32) - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result - in - let _:Prims.unit = admit () (* Panic freedom *) in - result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti index 6cfb8659a..14cf907ec 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti @@ -3,8 +3,6 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic open Core open FStar.Mul -let v_BARRETT_MULTIPLIER: i16 = 20159s - open Libcrux_intrinsics.Avx2_extract val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -17,15 +15,15 @@ val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) + v (get_lane rhs i))) -val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) +val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True + (requires + forall i. + i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))) (ensures fun result -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) + forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i))) val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 @@ -36,6 +34,16 @@ val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (con let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in forall i. i < 16 ==> v (get_lane result i) == (v (get_lane vector i) * v constant)) +val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + Prims.l_True + (ensures + fun result -> + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in + Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == + Spec.Utils.map_array (fun x -> x &. constant) + (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) + val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) @@ -47,15 +55,21 @@ val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) -val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))) + Spec.Utils.is_i16b_array (pow2 12 - 1) + (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) (ensures fun result -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i))) + forall i. + i < 16 ==> + get_lane result i == + (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i + )) + +let v_BARRETT_MULTIPLIER: i16 = 20159s /// See Section 3.2 of the implementation notes document for an explanation /// of this code. @@ -69,20 +83,6 @@ val barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ (forall i. i < 16 ==> v (get_lane result i) % 3329 == (v (get_lane vector i) % 3329))) -val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (pow2 12 - 1) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. - i < 16 ==> - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i - )) - val montgomery_multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) @@ -109,19 +109,6 @@ val montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext v (get_lane result i) % 3329 == ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329))) -val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\ - (forall i. - i < 8 ==> - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329))) - val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires @@ -137,3 +124,16 @@ val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) /\ (forall i. i < 16 ==> v (get_lane result i) % 3329 == ((v (get_lane vec i) * 169) % 3329)) ) + +val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128 + (requires + Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants)) + (ensures + fun result -> + let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in + Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\ + (forall i. + i < 8 ==> + v (get_lane128 result i) % 3329 == + ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst index 849da1049..c84cf4a1c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst @@ -26,6 +26,39 @@ let mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Libcrux_intrinsics.Avx2_extract.t_Vec256) +let compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -! + 1s + <: + i16) /! + 2s + <: + i16) + in + let field_modulus_quartered:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -! + 1s + <: + i16) /! + 4s + <: + i16) + in + let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 field_modulus_halved vector + in + let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l shifted + in + let shifted_to_positive:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 mask shifted + in + let shifted_to_positive_in_range:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 shifted_to_positive field_modulus_quartered + in + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l shifted_to_positive_in_range + let compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -98,39 +131,6 @@ let compress_ciphertext_coefficient in Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l compressed -let compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -! - 1s - <: - i16) /! - 2s - <: - i16) - in - let field_modulus_quartered:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -! - 1s - <: - i16) /! - 4s - <: - i16) - in - let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 field_modulus_halved vector - in - let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l shifted - in - let shifted_to_positive:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 mask shifted - in - let shifted_to_positive_in_range:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 shifted_to_positive field_modulus_quartered - in - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l shifted_to_positive_in_range - let decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti index 267f93c47..3a6db0bb0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti @@ -6,6 +6,9 @@ open FStar.Mul val mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + val compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -15,9 +18,6 @@ val compress_ciphertext_coefficient range (v (1l < Prims.l_True) -val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst index 6d1f1794f..a41ca52e5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst @@ -3,6 +3,72 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt open Core open FStar.Mul +let ntt_layer_1_step + (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1 zeta2 zeta3: i16) + = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16) + (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16) + (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16) + (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16) + (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector + in + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs + +let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16) + (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) + (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1 + (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) + (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0 + zeta0 + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector + in + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs + +let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector + in + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs + in + let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + in + Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients + #push-options "--admit_smt_queries true" let inv_ntt_layer_1_step @@ -89,72 +155,6 @@ let inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zet in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16) - (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16) - (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16) - (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16) - (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - -let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16) - (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) - (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1 - (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) - (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0 - zeta0 - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector - in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - -let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients - in - Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients - #push-options "--admit_smt_queries true" let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti index e2cfc07ca..9086e4521 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti @@ -3,9 +3,7 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt open Core open FStar.Mul -let ntt_multiply__PERMUTE_WITH: i32 = 216l - -val inv_ntt_layer_1_step +val ntt_layer_1_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 @@ -14,17 +12,17 @@ val inv_ntt_layer_1_step Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) (fun _ -> Prims.l_True) -val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) +val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) (fun _ -> Prims.l_True) -val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) +val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires Spec.Utils.is_i16b 1664 zeta) (fun _ -> Prims.l_True) -val ntt_layer_1_step +val inv_ntt_layer_1_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 @@ -33,16 +31,18 @@ val ntt_layer_1_step Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) (fun _ -> Prims.l_True) -val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) +val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) (fun _ -> Prims.l_True) -val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) +val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires Spec.Utils.is_i16b 1664 zeta) (fun _ -> Prims.l_True) +let ntt_multiply__PERMUTE_WITH: i32 = 216l + val ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 (requires diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index 87cf7addd..dec06906f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -10,6 +10,45 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +#push-options "--ext context_pruning --compat_pre_core 0" + +let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector + in + let low_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lsb_to_msb + in + let high_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lsb_to_msb + in + let msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs + in + let _:Prims.unit = + let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in + FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}). + bits_packed' i = vector ((i / 1) * 16 + i % 1)) + (fun _ -> + (); + (Tactics.Utils.prove_forall_nat_pointwise (fun _ -> + Tactics.compute (); + Tactics.smt_sync ()))) + in + let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in + let result:t_Array u8 (sz 2) = + let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + in + let _:Prims.unit = + assert (forall (i: nat{i < 8}). + get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8))) + in + result + +#pop-options + [@@"opaque_to_smt"] #push-options "--ext context_pruning" @@ -41,6 +80,55 @@ let deserialize_1___deserialize_1_u8s (a b: u8) = let deserialize_1_ (bytes: t_Slice u8) = deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8) +#push-options "--ext context_pruning --split_queries always" + +let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_concat_pairs_n 4uy vector + in + let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_8_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined + in + let serialized:t_Array u8 (sz 16) = + Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined + in + let _:Prims.unit = + assert (forall (i: nat{i < 64}). combined i == bit_vec_of_int_t_array serialized 8 i); + introduce forall (i: nat{i < 64}) . combined i = vector ((i / 4) * 16 + i % 4) + with assert_norm (BitVec.Utils.forall64 (fun i -> combined i = vector ((i / 4) * 16 + i % 4))); + assert (forall (i: nat{i < 64}). + bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4)) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) + +#pop-options + [@@"opaque_to_smt"] let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) = @@ -89,107 +177,110 @@ let deserialize_4_ (bytes: t_Slice u8) = (bytes.[ sz 6 ] <: u8) (bytes.[ sz 7 ] <: u8) -#push-options "--ext context_pruning --compat_pre_core 0" - -let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector - in - let low_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lsb_to_msb - in - let high_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lsb_to_msb - in - let msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs - in - let _:Prims.unit = - let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in - FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}). - bits_packed' i = vector ((i / 1) * 16 + i % 1)) - (fun _ -> - (); - (Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync ()))) - in - let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in - let result:t_Array u8 (sz 2) = - let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - in - let _:Prims.unit = - assert (forall (i: nat{i < 8}). - get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8))) - in - result - -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_concat_pairs_n 10uy vector + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 5; + Core.Ops.Range.f_end = sz 21 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_8_ + <: + t_Slice u8) in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - -#pop-options + Core.Result.impl__unwrap #(t_Array u8 (sz 10)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 10)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) #push-options "--ext context_pruning --split_queries always" -let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_concat_pairs_n 12uy vector + mm256_concat_pairs_n 10uy vector in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 8l 0l 8l 0l 8l 0l 8l + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 8l adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined in let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y - 5y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y 5y 4y 3y 2y 1y 0y + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y + 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y + 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -200,12 +291,12 @@ let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined in let _:Prims.unit = - introduce forall (i: nat{i < 96}) . lower_8_ i = vector ((i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 - (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 - (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) + introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 + (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); + introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) + with assert_norm (BitVec.Utils.forall_n 80 + (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) in lower_8_, upper_8_ <: @@ -272,95 +363,54 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = #push-options "--ext context_pruning --split_queries always" -let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_12___serialize_12_vec vector - in - let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - lower_8_ - <: - t_Slice u8) - in - let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 28 } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 12; - Core.Ops.Range.f_end = sz 28 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - upper_8_ - <: - t_Slice u8) - in - Core.Result.impl__unwrap #(t_Array u8 (sz 24)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 24)) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 24 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 24)) Core.Array.t_TryFromSliceError) - -#pop-options - -let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in +let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 12) * 16 + i % 12))); + introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) + with assert_norm (BitVec.Utils.forall_n 96 + (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) + in + lower_8_, upper_8_ + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + +#pop-options + +#push-options "--ext context_pruning --split_queries always" + +let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & + Libcrux_intrinsics.Avx2_extract.t_Vec128) = + serialize_12___serialize_12_vec vector + in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -378,17 +428,14 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined - in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 } + ({ Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 28 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 5; - Core.Ops.Range.f_end = sz 21 + Core.Ops.Range.f_start = sz 12; + Core.Ops.Range.f_end = sz 28 } <: Core.Ops.Range.t_Range usize ] @@ -398,67 +445,50 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 (sz 10)) + Core.Result.impl__unwrap #(t_Array u8 (sz 24)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 10)) + #(t_Array u8 (sz 24)) #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) <: - Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) + Core.Result.t_Result (t_Array u8 (sz 24)) Core.Array.t_TryFromSliceError) -#push-options "--ext context_pruning --split_queries always" +#pop-options -let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_concat_pairs_n 4uy vector +let deserialize_5_ (bytes: t_Slice u8) = + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8) + (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8) + (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8) + (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8) + (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8) in - let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) - (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) - (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y + let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_si256_from_two_si128 coefficients coefficients + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y + 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_8_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < combined i = vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). - bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4)) - in - Core.Result.impl__unwrap #(t_Array u8 (sz 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients [@@"opaque_to_smt"] @@ -606,35 +636,23 @@ let deserialize_12_ (bytes: t_Slice u8) = in deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients -let deserialize_5_ (bytes: t_Slice u8) = - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8) - (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8) - (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8) - (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8) - (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8) - in - let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 coefficients coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y - 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) +#push-options "--admit_smt_queries true" + +let serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let array:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in + let array:t_Array i16 (sz 16) = + Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 array vector in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <= 1 ==> vector i == 0) + (ensures + fun result -> + let result:t_Array u8 (sz 2) = result in + forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) + val deserialize_1___deserialize_1_i16s (a b: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True @@ -52,6 +60,16 @@ val deserialize_1_ (bytes: t_Slice u8) let j = (i / 16) * 1 + i % 16 in bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j)) +include BitVec.Intrinsics {mm256_concat_pairs_n} + +val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 (sz 8)) + (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0) + (ensures + fun r -> + let r:t_Array u8 (sz 8) = r in + forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4)) + val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True @@ -110,15 +128,8 @@ val deserialize_4_ (bytes: t_Slice u8) let j = (i / 16) * 4 + i % 16 in bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j)) -include BitVec.Intrinsics {mm256_concat_pairs_n} - -val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 2)) - (requires forall i. i % 16 >= 1 ==> vector i == 0) - (ensures - fun result -> - let result:t_Array u8 (sz 2) = result in - forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) +val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure @@ -133,6 +144,14 @@ val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V forall (i: nat{i < 160}). vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80))) +val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 (sz 20)) + (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) + (ensures + fun r -> + let r:t_Array u8 (sz 20) = r in + forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) + val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) @@ -146,14 +165,6 @@ val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V forall (i: nat{i < 192}). vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96))) -val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 20)) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 20) = r in - forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) - val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure (t_Array u8 (sz 24)) (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) @@ -162,19 +173,13 @@ val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) let r:t_Array u8 (sz 24) = r in forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12)) -val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 8)) - (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 8) = r in - forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4)) - include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128} +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 + (requires Seq.length bytes == 10) + (fun _ -> Prims.l_True) + val deserialize_10___deserialize_10_vec (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 @@ -233,13 +238,8 @@ val deserialize_12_ (bytes: t_Slice u8) let j = (i / 16) * 12 + i % 16 in bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j)) -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 10) - (fun _ -> Prims.l_True) +val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst index f63bcef62..3508e83ed 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst @@ -9,50 +9,45 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -#push-options "--admit_smt_queries true" - -let deserialize_1_ (bytes: t_Slice u8) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector - -#pop-options - -#push-options "--admit_smt_queries true" - -let deserialize_4_ (bytes: t_Slice u8) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector - -#pop-options +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': Core.Clone.t_Clone t_SIMD256Vector -#push-options "--admit_smt_queries true" +let impl_1 = impl_1' -let serialize_1_ (vector: t_SIMD256Vector) = - Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_2': Core.Marker.t_Copy t_SIMD256Vector -#pop-options +let impl_2 = impl_2' -let vec_from_i16_array (array: t_Slice i16) = +let vec_zero (_: Prims.unit) = let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector in let _:Prims.unit = admit () (* Panic freedom *) in result -let vec_zero (_: Prims.unit) = +let vec_to_i16_array (v: t_SIMD256Vector) = + let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in + let output:t_Array i16 (sz 16) = + Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements + in + let result:t_Array i16 (sz 16) = output in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let vec_from_i16_array (array: t_Slice i16) = let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector in let _:Prims.unit = admit () (* Panic freedom *) in result #push-options "--admit_smt_queries true" -let compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) = - { - f_elements - = - Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS - vector.f_elements - } +let cond_subtract_3329_ (vector: t_SIMD256Vector) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } <: t_SIMD256Vector @@ -71,8 +66,13 @@ let compress_1_ (vector: t_SIMD256Vector) = #push-options "--admit_smt_queries true" -let cond_subtract_3329_ (vector: t_SIMD256Vector) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } +let compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) = + { + f_elements + = + Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS + vector.f_elements + } <: t_SIMD256Vector @@ -80,11 +80,11 @@ let cond_subtract_3329_ (vector: t_SIMD256Vector) = #push-options "--admit_smt_queries true" -let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) = +let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) = { f_elements = - Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3 + Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3 } <: t_SIMD256Vector @@ -93,8 +93,8 @@ let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16 #push-options "--admit_smt_queries true" -let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 } +let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } <: t_SIMD256Vector @@ -102,8 +102,8 @@ let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) = #push-options "--admit_smt_queries true" -let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } +let ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector @@ -111,11 +111,11 @@ let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) = #push-options "--admit_smt_queries true" -let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) = +let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) = { f_elements = - Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3 + Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3 } <: t_SIMD256Vector @@ -124,8 +124,8 @@ let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) = #push-options "--admit_smt_queries true" -let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } +let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 } <: t_SIMD256Vector @@ -133,8 +133,8 @@ let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) = #push-options "--admit_smt_queries true" -let ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) = - { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } +let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector @@ -158,47 +158,47 @@ let ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) = #pop-options -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_1': Core.Clone.t_Clone t_SIMD256Vector +#push-options "--admit_smt_queries true" -let impl_1 = impl_1' +let serialize_1_ (vector: t_SIMD256Vector) = + Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_2': Core.Marker.t_Copy t_SIMD256Vector +#pop-options -let impl_2 = impl_2' +#push-options "--admit_smt_queries true" + +let deserialize_1_ (bytes: t_Slice u8) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector + +#pop-options #push-options "--admit_smt_queries true" -let serialize_10_ (vector: t_SIMD256Vector) = - Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements +let serialize_4_ (vector: t_SIMD256Vector) = + Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements #pop-options #push-options "--admit_smt_queries true" -let serialize_12_ (vector: t_SIMD256Vector) = - Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements +let deserialize_4_ (bytes: t_Slice u8) = + { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector #pop-options #push-options "--admit_smt_queries true" -let serialize_4_ (vector: t_SIMD256Vector) = - Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements +let serialize_10_ (vector: t_SIMD256Vector) = + Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements #pop-options -let vec_to_i16_array (v: t_SIMD256Vector) = - let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in - let output:t_Array i16 (sz 16) = - Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements - in - let result:t_Array i16 (sz 16) = output in - let _:Prims.unit = admit () (* Panic freedom *) in - result +#push-options "--admit_smt_queries true" + +let serialize_12_ (vector: t_SIMD256Vector) = + Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements + +#pop-options [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index 3ba81f3eb..dd26cbba3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -15,30 +15,27 @@ type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements -val deserialize_1_ (bytes: t_Slice u8) - : Prims.Pure t_SIMD256Vector - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2) - (ensures - fun out -> - let out:t_SIMD256Vector = out in - sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (repr out)) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Core.Clone.t_Clone t_SIMD256Vector -val deserialize_4_ (bytes: t_Slice u8) - : Prims.Pure t_SIMD256Vector - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_2:Core.Marker.t_Copy t_SIMD256Vector + +val vec_zero: Prims.unit + -> Prims.Pure t_SIMD256Vector + Prims.l_True (ensures - fun out -> - let out:t_SIMD256Vector = out in - sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (repr out)) + fun result -> + let result:t_SIMD256Vector = result in + repr result == Seq.create 16 0s) -val serialize_1_ (vector: t_SIMD256Vector) - : Prims.Pure (t_Array u8 (sz 2)) - (requires Spec.MLKEM.serialize_pre 1 (repr vector)) +val vec_to_i16_array (v: t_SIMD256Vector) + : Prims.Pure (t_Array i16 (sz 16)) + Prims.l_True (ensures - fun out -> - let out:t_Array u8 (sz 2) = out in - Spec.MLKEM.serialize_pre 1 (repr vector) ==> Spec.MLKEM.serialize_post 1 (repr vector) out - ) + fun result -> + let result:t_Array i16 (sz 16) = result in + result == repr v) val vec_from_i16_array (array: t_Slice i16) : Prims.Pure t_SIMD256Vector @@ -48,13 +45,24 @@ val vec_from_i16_array (array: t_Slice i16) let result:t_SIMD256Vector = result in repr result == array) -val vec_zero: Prims.unit - -> Prims.Pure t_SIMD256Vector - Prims.l_True +val cond_subtract_3329_ (vector: t_SIMD256Vector) + : Prims.Pure t_SIMD256Vector + (requires Spec.Utils.is_i16b_array (pow2 12 - 1) (repr vector)) (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == Seq.create 16 0s) + fun out -> + let out:t_SIMD256Vector = out in + repr out == + Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr vector)) + +val compress_1_ (vector: t_SIMD256Vector) + : Prims.Pure t_SIMD256Vector + (requires + forall (i: nat). + i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329) + (ensures + fun out -> + let out:t_SIMD256Vector = out in + forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) 1) val compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) : Prims.Pure t_SIMD256Vector @@ -70,24 +78,35 @@ val compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) v v_COEFFICIENT_BITS == 11) ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) (v v_COEFFICIENT_BITS))) -val compress_1_ (vector: t_SIMD256Vector) +val ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure t_SIMD256Vector (requires - forall (i: nat). - i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329) + Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ + Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr vector)) (ensures fun out -> let out:t_SIMD256Vector = out in - forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) 1) + Spec.Utils.is_i16b_array (11207 + 6 * 3328) (repr out)) -val cond_subtract_3329_ (vector: t_SIMD256Vector) +val ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) : Prims.Pure t_SIMD256Vector - (requires Spec.Utils.is_i16b_array (pow2 12 - 1) (repr vector)) + (requires + Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr vector)) (ensures fun out -> let out:t_SIMD256Vector = out in - repr out == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr vector)) + Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr out)) + +val ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) + : Prims.Pure t_SIMD256Vector + (requires + Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (repr vector)) + (ensures + fun out -> + let out:t_SIMD256Vector = out in + Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr out)) val inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure t_SIMD256Vector @@ -118,52 +137,50 @@ val inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) let out:t_SIMD256Vector = out in Spec.Utils.is_i16b_array 3328 (repr out)) -val ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) +val ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure t_SIMD256Vector (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr vector)) + Spec.Utils.is_i16b_array 3328 (repr lhs) /\ Spec.Utils.is_i16b_array 3328 (repr rhs)) (ensures fun out -> let out:t_SIMD256Vector = out in - Spec.Utils.is_i16b_array (11207 + 6 * 3328) (repr out)) + Spec.Utils.is_i16b_array 3328 (repr out)) -val ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) - : Prims.Pure t_SIMD256Vector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr vector)) +val serialize_1_ (vector: t_SIMD256Vector) + : Prims.Pure (t_Array u8 (sz 2)) + (requires Spec.MLKEM.serialize_pre 1 (repr vector)) (ensures fun out -> - let out:t_SIMD256Vector = out in - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr out)) + let out:t_Array u8 (sz 2) = out in + Spec.MLKEM.serialize_pre 1 (repr vector) ==> Spec.MLKEM.serialize_post 1 (repr vector) out + ) -val ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) +val deserialize_1_ (bytes: t_Slice u8) : Prims.Pure t_SIMD256Vector - (requires - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (repr vector)) + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2) (ensures fun out -> let out:t_SIMD256Vector = out in - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr out)) + sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (repr out)) -val ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) +val serialize_4_ (vector: t_SIMD256Vector) + : Prims.Pure (t_Array u8 (sz 8)) + (requires Spec.MLKEM.serialize_pre 4 (repr vector)) + (ensures + fun out -> + let out:t_Array u8 (sz 8) = out in + Spec.MLKEM.serialize_pre 4 (repr vector) ==> Spec.MLKEM.serialize_post 4 (repr vector) out + ) + +val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure t_SIMD256Vector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (repr lhs) /\ Spec.Utils.is_i16b_array 3328 (repr rhs)) + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) (ensures fun out -> let out:t_SIMD256Vector = out in - Spec.Utils.is_i16b_array 3328 (repr out)) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Clone.t_Clone t_SIMD256Vector - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Core.Marker.t_Copy t_SIMD256Vector + sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (repr out)) val serialize_10_ (vector: t_SIMD256Vector) : Prims.Pure (t_Array u8 (sz 20)) @@ -183,23 +200,6 @@ val serialize_12_ (vector: t_SIMD256Vector) Spec.MLKEM.serialize_pre 12 (repr vector) ==> Spec.MLKEM.serialize_post 12 (repr vector) out) -val serialize_4_ (vector: t_SIMD256Vector) - : Prims.Pure (t_Array u8 (sz 8)) - (requires Spec.MLKEM.serialize_pre 4 (repr vector)) - (ensures - fun out -> - let out:t_Array u8 (sz 8) = out in - Spec.MLKEM.serialize_pre 4 (repr vector) ==> Spec.MLKEM.serialize_post 4 (repr vector) out - ) - -val vec_to_i16_array (v: t_SIMD256Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) - [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst index 1139236f7..5fb7954dd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst @@ -3,6 +3,50 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic open Core open FStar.Mul +let barrett_reduce_int16x8_t (v: u8) = + let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in + let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in + let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in + let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in + let sub:u8 = + Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient + Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + in + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub + +let montgomery_reduce_int16x8_t (low high: u8) = + let k:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16 + (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8) + (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16) + <: + u8) + in + let c:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k + Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) + in + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c + +let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) = + let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in + let vv_high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8) + in + montgomery_reduce_int16x8_t vv_low vv_high + +let montgomery_multiply_int16x8_t (v c: u8) = + let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in + let vv_high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8) + in + montgomery_reduce_int16x8_t vv_low vv_high + let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { @@ -29,54 +73,40 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in lhs -let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = - let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = +let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { - v with + lhs with Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { - v with + lhs with Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - c + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs + .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in - v + lhs -let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 3329s in - let m0:u8 = - Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c - in - let m1:u8 = - Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c - in - let c0:u8 = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c - (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m0 <: u8) - in - let c1:u8 = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c - (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m1 <: u8) - in +let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { v with Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - c0 + Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + c } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector @@ -86,22 +116,23 @@ let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vect v with Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - c1 + Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v + .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + c } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in v -let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = +let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = + let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { v with Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = - Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - c + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector @@ -111,8 +142,7 @@ let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vec v with Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = - Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v - .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c } <: @@ -145,42 +175,45 @@ let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_S in v -let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = +let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 3329s in + let m0:u8 = + Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c + in + let m1:u8 = + Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c + in + let c0:u8 = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c + (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m0 <: u8) + in + let c1:u8 = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c + (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m1 <: u8) + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { - lhs with + v with Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + c0 } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in - let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { - lhs with + v with Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs - .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + c1 } <: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in - lhs - -let barrett_reduce_int16x8_t (v: u8) = - let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in - let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in - let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in - let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in - let sub:u8 = - Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub + v let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = @@ -205,31 +238,6 @@ let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in v -let montgomery_reduce_int16x8_t (low high: u8) = - let k:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16 - (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8) - (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16) - <: - u8) - in - let c:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - <: - u8) - in - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c - -let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) = - let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in - let vv_high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8) - in - montgomery_reduce_int16x8_t vv_low vv_high - let montgomery_multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) @@ -255,11 +263,3 @@ let montgomery_multiply_by_constant Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in v - -let montgomery_multiply_int16x8_t (v c: u8) = - let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in - let vv_high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8) - in - montgomery_reduce_int16x8_t vv_low vv_high diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti index 91b5164fe..61af6dae8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti @@ -5,22 +5,31 @@ open FStar.Mul let v_BARRETT_MULTIPLIER: i16 = 20159s +val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + val add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) +val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) +val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) @@ -30,28 +39,19 @@ val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_S Prims.l_True (fun _ -> Prims.l_True) -val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) - : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - val montgomery_multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst index 797444743..2465de648 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst @@ -3,6 +3,14 @@ module Libcrux_ml_kem.Vector.Neon.Compress open Core open FStar.Mul +let mask_n_least_significant_bits (coefficient_bits: i16) = + match coefficient_bits <: i16 with + | 4s -> 15s + | 5s -> 31s + | 10s -> 1023s + | 11s -> 2047s + | x -> (1s < 15s - | 5s -> 31s - | 10s -> 1023s - | 11s -> 2047s - | x -> (1s < Prims.l_True) + val compress_int32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mask_n_least_significant_bits (coefficient_bits: i16) - : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) +val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) - : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst index 36abe54f2..a370847c6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst @@ -3,65 +3,7 @@ module Libcrux_ml_kem.Vector.Neon.Ntt open Core open FStar.Mul -let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = - let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in - let b_minus_a:u8 = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - -let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = - let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in - let t:u8 = - Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v - .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - zeta - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - -let inv_ntt_layer_1_step +let ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) = @@ -71,7 +13,7 @@ let inv_ntt_layer_1_step Rust_primitives.Hax.array_of_list 8 list in let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in - let a:u8 = + let dup_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s32 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -84,7 +26,7 @@ let inv_ntt_layer_1_step <: u8) in - let b:u8 = + let dup_b:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s32 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -97,10 +39,9 @@ let inv_ntt_layer_1_step <: u8) in - let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in - let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in - let a:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.barrett_reduce_int16x8_t a in - let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in + let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in + let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in + let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { v with @@ -131,17 +72,14 @@ let inv_ntt_layer_1_step in v -let inv_ntt_layer_2_step - (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (zeta1 zeta2: i16) - = +let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16) = let zetas:t_Array i16 (sz 8) = let list = [zeta1; zeta1; zeta1; zeta1; zeta2; zeta2; zeta2; zeta2] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); Rust_primitives.Hax.array_of_list 8 list in let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in - let a:u8 = + let dup_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s64 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -154,7 +92,7 @@ let inv_ntt_layer_2_step <: u8) in - let b:u8 = + let dup_b:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s64 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -167,9 +105,9 @@ let inv_ntt_layer_2_step <: u8) in - let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in - let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in - let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in + let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in + let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in + let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { v with @@ -200,7 +138,36 @@ let inv_ntt_layer_2_step in v -let ntt_layer_1_step +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = + let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in + let t:u8 = + Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v + .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + zeta + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + +let inv_ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) = @@ -210,7 +177,7 @@ let ntt_layer_1_step Rust_primitives.Hax.array_of_list 8 list in let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in - let dup_a:u8 = + let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s32 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -223,7 +190,7 @@ let ntt_layer_1_step <: u8) in - let dup_b:u8 = + let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s32 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -236,9 +203,10 @@ let ntt_layer_1_step <: u8) in - let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in - let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in - let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in + let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in + let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in + let a:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.barrett_reduce_int16x8_t a in + let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { v with @@ -269,14 +237,17 @@ let ntt_layer_1_step in v -let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16) = +let inv_ntt_layer_2_step + (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (zeta1 zeta2: i16) + = let zetas:t_Array i16 (sz 8) = let list = [zeta1; zeta1; zeta1; zeta1; zeta2; zeta2; zeta2; zeta2] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); Rust_primitives.Hax.array_of_list 8 list in let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in - let dup_a:u8 = + let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s64 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -289,7 +260,7 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) <: u8) in - let dup_b:u8 = + let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s64 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v .Libcrux_ml_kem.Vector.Neon.Vector_type.f_low @@ -302,9 +273,9 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) <: u8) in - let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in - let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in - let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in + let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in + let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in + let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { v with @@ -335,6 +306,35 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) in v +let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = + let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in + let b_minus_a:u8 = + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + let ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti index 8beabc8b6..8c5dcd75b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti @@ -3,7 +3,14 @@ module Libcrux_ml_kem.Vector.Neon.Ntt open Core open FStar.Mul -val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) +val ntt_layer_1_step + (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (zeta1 zeta2 zeta3 zeta4: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) @@ -27,14 +34,7 @@ val inv_ntt_layer_2_step Prims.l_True (fun _ -> Prims.l_True) -val ntt_layer_1_step - (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (zeta1 zeta2 zeta3 zeta4: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16) +val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst index 2bda9f7e7..1df5ae57d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst @@ -10,6 +10,117 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let low:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + shift + in + let high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + shift + in + let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in + let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in + let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + +let deserialize_1_ (a: t_Slice u8) = + let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in + let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in + let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in + let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one; + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let lowt:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + <: + u8) + shift + in + let hight:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + <: + u8) + shift + in + let sum0:u64 = + cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_low_u16 + lowt + <: + u8) + <: + u16) + <: + u64 + in + let sum1:u64 = + cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_high_u16 + lowt + <: + u8) + <: + u16) + <: + u64 + in + let sum2:u64 = + cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_low_u16 + hight + <: + u8) + <: + u16) + <: + u64 + in + let sum3:u64 = + cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_high_u16 + hight + <: + u8) + <: + u16) + <: + u64 + in + let sum:u64 = + ((sum0 |. (sum1 < Prims.l_True) - -val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_ (v: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - Prims.l_True - (fun _ -> Prims.l_True) - -val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_10_ (v: t_Slice u8) +val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_12_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (v: t_Slice u8) +val deserialize_4_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_ (v: t_Slice u8) +val serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_5_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_5_ (v: t_Slice u8) +val deserialize_10_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) @@ -55,5 +53,7 @@ val deserialize_5_ (v: t_Slice u8) val serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_11_ (v: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst index 761d0a4b3..0905daec0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst @@ -5,48 +5,6 @@ open FStar.Mul let repr (x:t_SIMD128Vector) = admit() -let v_ZERO (_: Prims.unit) = - let result:t_SIMD128Vector = - { - f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; - f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let from_i16_array (array: t_Slice i16) = - let result:t_SIMD128Vector = - { - f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - [@@ FStar.Tactics.Typeclasses.tcinstance] assume val impl': Core.Clone.t_Clone t_SIMD128Vector @@ -98,3 +56,45 @@ let to_i16_array (v: t_SIMD128Vector) = let result:t_Array i16 (sz 16) = out in let _:Prims.unit = admit () (* Panic freedom *) in result + +let from_i16_array (array: t_Slice i16) = + let result:t_SIMD128Vector = + { + f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + t_SIMD128Vector + in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let v_ZERO (_: Prims.unit) = + let result:t_SIMD128Vector = + { + f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; + f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s + } + <: + t_SIMD128Vector + in + let _:Prims.unit = admit () (* Panic freedom *) in + result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti index ce6c9b299..10b61f8a1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti @@ -10,13 +10,19 @@ type t_SIMD128Vector = { val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16) -val v_ZERO: Prims.unit - -> Prims.Pure t_SIMD128Vector +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Core.Clone.t_Clone t_SIMD128Vector + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Core.Marker.t_Copy t_SIMD128Vector + +val to_i16_array (v: t_SIMD128Vector) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (ensures fun result -> - let result:t_SIMD128Vector = result in - repr result == Seq.create 16 0s) + let result:t_Array i16 (sz 16) = result in + result == repr v) val from_i16_array (array: t_Slice i16) : Prims.Pure t_SIMD128Vector @@ -26,16 +32,10 @@ val from_i16_array (array: t_Slice i16) let result:t_SIMD128Vector = result in repr result == array) -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Clone.t_Clone t_SIMD128Vector - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Marker.t_Copy t_SIMD128Vector - -val to_i16_array (v: t_SIMD128Vector) - : Prims.Pure (t_Array i16 (sz 16)) +val v_ZERO: Prims.unit + -> Prims.Pure t_SIMD128Vector Prims.l_True (ensures fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) + let result:t_SIMD128Vector = result in + repr result == Seq.create 16 0s) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst index 0c4739a48..4c636e2e5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst @@ -10,6 +10,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; + _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; + f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); + f_repr_post + = + (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> + true); + f_repr + = + fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> + Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x + } + let rej_sample (a: t_Slice u8) (result: t_Slice i16) = let sampled:usize = sz 0 in let result, sampled:(t_Slice i16 & usize) = @@ -48,22 +64,6 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) = let hax_temp_output:usize = sampled in result, hax_temp_output <: (t_Slice i16 & usize) -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve; - _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); - f_repr_post - = - (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x - } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti index a9ba571dd..3d016d0e6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti @@ -10,12 +10,12 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -val rej_sample (a: t_Slice u8) (result: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) - [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector +val rej_sample (a: t_Slice u8) (result: t_Slice i16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_1:Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst index 46f0a37be..9d02f4952 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst @@ -216,9 +216,49 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = #pop-options -#push-options "--z3rlimit 150" +let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR + (fun lhs i -> + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + let i:usize = i in + (forall j. + j < v i ==> + (Seq.index lhs.f_elements j) == + (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\ + (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + lhs + (fun lhs i -> + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + let i:usize = i in + let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + lhs) + in + let _:Prims.unit = + assert (forall i. + v (Seq.index lhs.f_elements i) == + v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i)) + in + lhs -let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = +let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -227,23 +267,12 @@ let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVe let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in (forall j. - j < v i ==> - (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\ - v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329) - )) /\ - (forall j. - j >= v i ==> - (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\ - Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j)))) + j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\ + (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) vec (fun vec i -> let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in - let vi:i16 = - barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - in let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { vec with @@ -252,24 +281,20 @@ let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVe Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - vi + ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert (Spec.Utils.is_i16b 3328 vi); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)) - in vec) in + let _:Prims.unit = + assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c) + in vec -#pop-options - let bitwise_and_with_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) @@ -310,9 +335,7 @@ let bitwise_and_with_constant in vec -#push-options "--z3rlimit 300" - -let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = +let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -322,19 +345,13 @@ let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Porta let i:usize = i in (forall j. j < v i ==> - Seq.index vec.f_elements j == - (let x = Seq.index v__vec0.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\ + Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\ (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) vec (fun vec i -> let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in - if - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s - <: - bool - then + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { vec with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements @@ -342,30 +359,25 @@ let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Porta Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s + ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! + v_SHIFT_BY <: i16) - <: - t_Array i16 (sz 16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - else vec) + in + vec) in let _:Prims.unit = Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements) + (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements) in vec -#pop-options - -#push-options "--z3rlimit 150" +#push-options "--z3rlimit 300" -let montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (c: i16) - = +let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -375,54 +387,19 @@ let montgomery_multiply_by_constant let i:usize = i in (forall j. j < v i ==> - (let vecj = Seq.index vec.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\ - v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) + Seq.index vec.f_elements j == + (let x = Seq.index v__vec0.f_elements j in + if x >=. 3329s then x -! 3329s else x)) /\ + (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) vec (fun vec i -> let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (montgomery_multiply_fe_by_fer (vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - c - <: - i16) + if + (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s <: - t_Array i16 (sz 16) - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - in - vec - -#pop-options - -let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + bool + then { vec with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements @@ -430,21 +407,27 @@ let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Port Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c + ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s <: i16) + <: + t_Array i16 (sz 16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) + else vec) in let _:Prims.unit = - assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c) + Seq.lemma_eq_intro vec.f_elements + (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements) in vec -let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = +#pop-options + +#push-options "--z3rlimit 150" + +let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -454,12 +437,22 @@ let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_ty let i:usize = i in (forall j. j < v i ==> - Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) + (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\ + v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329) + )) /\ + (forall j. + j >= v i ==> + (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\ + Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j)))) vec (fun vec i -> let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in + let vi:i16 = + barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + in let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { vec with @@ -468,60 +461,67 @@ let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_ty Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! - v_SHIFT_BY - <: - i16) + vi } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in + let _:Prims.unit = + assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); + assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); + assert (Spec.Utils.is_i16b 3328 vi); + assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); + assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)) + in vec) in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements) - in vec -let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +#pop-options + +#push-options "--z3rlimit 150" + +let montgomery_multiply_by_constant + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (c: i16) + = + let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + (fun vec i -> + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in (forall j. j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) - lhs - (fun lhs i -> - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in + (let vecj = Seq.index vec.f_elements j in + (Spec.Utils.is_i16b 3328 vecj /\ + v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\ + (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) + vec + (fun vec i -> + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + vec with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (montgomery_multiply_fe_by_fer (vec + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + c + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - lhs + vec + +#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti index e072f08d9..574b7f4a1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti @@ -3,13 +3,13 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic open Core open FStar.Mul -/// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ -let v_BARRETT_MULTIPLIER: i32 = 20159l - let v_MONTGOMERY_SHIFT: u8 = 16uy let v_MONTGOMERY_R: i32 = 1l < + Spec.Utils.is_intb (pow2 15 - 1) + (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) (ensures fun result -> let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329)) + forall i. + i < 16 ==> + (v (Seq.index result.f_elements i) == + v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) + +val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires + forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) ) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + forall i. + i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)) val bitwise_and_with_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) @@ -101,6 +116,15 @@ val bitwise_and_with_constant let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements)) +val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> + result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements)) + /// Note: This function is not secret independent /// Only use with public values. val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) @@ -112,6 +136,17 @@ val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Porta result.f_elements == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements)) +val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires Spec.Utils.is_i16b_array 28296 vec.f_elements) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + Spec.Utils.is_i16b_array 3328 result.f_elements /\ + (forall i. + (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329)) + ) + val montgomery_multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) @@ -125,38 +160,3 @@ val montgomery_multiply_by_constant i < 16 ==> (v (Seq.index result.f_elements i) % 3329 == (v (Seq.index vec.f_elements i) * v c * 169) % 3329))) - -val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)) - -val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements)) - -val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst index 8ccf885b5..db86a1c62 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -5,22 +5,6 @@ open FStar.Mul #push-options "--z3rlimit 200 --ext context_pruning" -let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) = - let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in - cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.get_n_least_significant_bits coefficient_bits - (cast (compressed <: u64) <: u32) - <: - u32) - <: - i16 - -#pop-options - -#push-options "--z3rlimit 200 --ext context_pruning" - let compress_message_coefficient (fe: u16) = let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in let _:Prims.unit = assert (v shifted == 1664 - v fe) in @@ -63,17 +47,32 @@ let compress_message_coefficient (fe: u16) = #pop-options +#push-options "--z3rlimit 200 --ext context_pruning" + +let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) = + let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in + cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.get_n_least_significant_bits coefficient_bits + (cast (compressed <: u64) <: u32) + <: + u32) + <: + i16 + +#pop-options + #push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" -let compress - (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - = - let _:Prims.unit = - assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS); - assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS); - assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16) == 3329) - in +let compress_message_coefficient_range_helper (fe: u16) : Lemma + (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) + (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ + v (cast (compress_message_coefficient fe) <: i16) < 2) = + assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ + v (cast (compress_message_coefficient fe) <: i16) < 2) + +let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let _:Prims.unit = assert (forall (i: nat). i < 16 ==> @@ -93,12 +92,14 @@ let compress v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ (forall (j: nat). j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ - v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) + v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) a (fun a i -> let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in + let _:Prims.unit = + compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) + in let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { a with @@ -107,10 +108,14 @@ let compress Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) - (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + (cast (compress_message_coefficient (cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) <: - u16) + u8) <: i16) } @@ -118,16 +123,13 @@ let compress Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ - v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) + assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) in a) in let _:Prims.unit = assert (forall (i: nat). - i < 16 ==> - v (a.f_elements.[ sz i ] <: i16) >= 0 /\ - v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) + i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) in a @@ -135,14 +137,15 @@ let compress #push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) - -let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = +let compress + (v_COEFFICIENT_BITS: i32) + (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let _:Prims.unit = + assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS); + assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS); + assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16) == 3329) + in let _:Prims.unit = assert (forall (i: nat). i < 16 ==> @@ -162,14 +165,12 @@ let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ (forall (j: nat). j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) + v (a.f_elements.[ sz j ] <: i16) >= 0 /\ + v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) a (fun a i -> let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - let _:Prims.unit = - compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) - in let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { a with @@ -178,14 +179,10 @@ let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - (cast (compress_message_coefficient (cast (a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - <: - u16) + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: - u8) + u16) <: i16) } @@ -193,13 +190,16 @@ let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) + assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ + v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) in a) in let _:Prims.unit = assert (forall (i: nat). - i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) + i < 16 ==> + v (a.f_elements.[ sz i ] <: i16) >= 0 /\ + v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) in a diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti index 32527079f..e25c235c8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -3,18 +3,6 @@ module Libcrux_ml_kem.Vector.Portable.Compress open Core open FStar.Mul -val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) - : Prims.Pure i16 - (requires - (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy || - coefficient_bits =. 11uy) && - fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16)) - (ensures - fun result -> - let result:i16 = result in - result >=. 0s && - result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16)) - /// The `compress_*` functions implement the `Compress` function specified in the NIST FIPS /// 203 standard (Page 18, Expression 4.5), which is defined as: /// ```plaintext @@ -45,6 +33,30 @@ val compress_message_coefficient (fe: u16) let _:Prims.unit = temp_0_ in result =. 0uy <: bool)) +val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) + : Prims.Pure i16 + (requires + (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy || + coefficient_bits =. 11uy) && + fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16)) + (ensures + fun result -> + let result:i16 = result in + result >=. 0s && + result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16)) + +val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires + forall (i: nat). + i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + forall (i: nat). + i < 16 ==> + v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) + val compress (v_COEFFICIENT_BITS: i32) (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) @@ -62,18 +74,6 @@ val compress v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) -val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall (i: nat). - i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall (i: nat). - i < 16 ==> - v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) - val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst index cd2dd7446..a7830a398 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst @@ -3,6 +3,194 @@ module Libcrux_ml_kem.Vector.Portable.Ntt open Core open FStar.Mul +let ntt_step + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta: i16) + (i j: usize) + = + let t:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] + <: + i16) + zeta + in + let _:Prims.unit = + assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) + in + let a_minus_t:i16 = + (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t + in + let _:Prims.unit = + calc ( == ) { + v a_minus_t % 3329; + ( == ) { () } + (v (Seq.index vec.f_elements (v i)) - v t) % 3329; + ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } + (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329; + ( == ) { () } + (v (Seq.index vec.f_elements (v i)) - + ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % + 3329; + ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169) + 3329 } + (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % + 3329; + } + in + let a_plus_t:i16 = + (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t + in + let _:Prims.unit = + calc ( == ) { + v a_plus_t % 3329; + ( == ) { () } + (v (Seq.index vec.f_elements (v i)) + v t) % 3329; + ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } + (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329; + ( == ) { () } + (v (Seq.index vec.f_elements (v i)) + + ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % + 3329; + ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169) + 3329 } + (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % + 3329; + } + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + vec with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + j + a_minus_t + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + { + vec with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + a_plus_t + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + in + let _:Prims.unit = + assert (Seq.index vec.f_elements (v i) == a_plus_t); + assert (Seq.index vec.f_elements (v j) == a_minus_t) + in + vec + +#push-options "--z3rlimit 100" + +let ntt_layer_1_step + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + = + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta0 (sz 0) (sz 2) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta0 (sz 1) (sz 3) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta1 (sz 4) (sz 6) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta1 (sz 5) (sz 7) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta2 (sz 8) (sz 10) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta2 (sz 9) (sz 11) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta3 (sz 12) (sz 14) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta3 (sz 13) (sz 15) + in + vec + +#pop-options + +#push-options "--z3rlimit 100" + +let ntt_layer_2_step + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1: i16) + = + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta0 (sz 0) (sz 4) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta0 (sz 1) (sz 5) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta0 (sz 2) (sz 6) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta0 (sz 3) (sz 7) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta1 (sz 8) (sz 12) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta1 (sz 9) (sz 13) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta1 (sz 10) (sz 14) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta1 (sz 11) (sz 15) + in + vec + +#pop-options + +#push-options "--z3rlimit 100" + +let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 0) (sz 8) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 1) (sz 9) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 2) (sz 10) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 3) (sz 11) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 4) (sz 12) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 5) (sz 13) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 6) (sz 14) + in + let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step vec zeta (sz 7) (sz 15) + in + vec + +#pop-options + let inv_ntt_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) @@ -322,194 +510,6 @@ let ntt_multiply_binomials #pop-options -let ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (zeta: i16) - (i j: usize) - = - let t:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] - <: - i16) - zeta - in - let _:Prims.unit = - assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) - in - let a_minus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t - in - let _:Prims.unit = - calc ( == ) { - v a_minus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let a_plus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t - in - let _:Prims.unit = - calc ( == ) { - v a_plus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - j - a_minus_t - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - a_plus_t - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t) - in - vec - -#push-options "--z3rlimit 100" - -let ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 2) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 3) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 4) (sz 6) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 5) (sz 7) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 8) (sz 10) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 9) (sz 11) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 12) (sz 14) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 13) (sz 15) - in - vec - -#pop-options - -#push-options "--z3rlimit 100" - -let ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (zeta0 zeta1: i16) - = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 4) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 5) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 2) (sz 6) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 3) (sz 7) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 8) (sz 12) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 9) (sz 13) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 10) (sz 14) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 11) (sz 15) - in - vec - -#pop-options - -#push-options "--z3rlimit 100" - -let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 0) (sz 8) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 1) (sz 9) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 2) (sz 10) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 3) (sz 11) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 4) (sz 12) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 5) (sz 13) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 6) (sz 14) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 7) (sz 15) - in - vec - -#pop-options - #push-options "--z3rlimit 100" let ntt_multiply diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti index c5532bbde..e5498d53d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti @@ -5,6 +5,65 @@ open FStar.Mul [@@ "opaque_to_smt"] +val ntt_step + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta: i16) + (i j: usize) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires + v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ + Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\ + Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\ + Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ]) + (ensures + fun vec_future -> + let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in + (forall k. + (k <> v i /\ k <> v j) ==> + Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ + (forall b. + (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\ + Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==> + (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\ + Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\ + Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + +val ntt_layer_1_step + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires + Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ + Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements) + +val ntt_layer_2_step + (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (zeta0 zeta1: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires + Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ + Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements) + +val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires + Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements) + (ensures + fun result -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements) + +[@@ "opaque_to_smt"] + val inv_ntt_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) @@ -102,65 +161,6 @@ val ntt_multiply_binomials ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\ ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))) -[@@ "opaque_to_smt"] - -val ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (zeta: i16) - (i j: usize) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ]) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - (forall b. - (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==> - (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\ - Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\ - Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) - -val ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements) - -val ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (zeta0 zeta1: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements) - -val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements) - val ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index 9e7f111dc..cfc0d5a38 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -3,89 +3,20 @@ module Libcrux_ml_kem.Vector.Portable.Serialize open Core open FStar.Mul -let deserialize_10_int (bytes: t_Slice u8) = - let r0:i16 = - (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r2:i16 = - (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r3:i16 = - ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) - in - let r4:i16 = - (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r6:i16 = - (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r7:i16 = - ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) - in - r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - -let deserialize_11_int (bytes: t_Slice u8) = - let r0:i16 = - (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 7s <: i16) <>! 3l <: i16) - in - let r2:i16 = - ((((cast (bytes.[ sz 4 ] <: u8) <: i16) &. 1s <: i16) <>! 6l <: i16) - in - let r3:i16 = - (((cast (bytes.[ sz 5 ] <: u8) <: i16) &. 15s <: i16) <>! 1l <: i16) - in - let r4:i16 = - (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16) +let serialize_4_int (v: t_Slice i16) = + let result0:u8 = + ((cast (v.[ sz 1 ] <: i16) <: u8) <>! 7l <: i16) + let result1:u8 = + ((cast (v.[ sz 3 ] <: i16) <: u8) <>! 2l <: i16) + let result2:u8 = + ((cast (v.[ sz 5 ] <: i16) <: u8) <>! 5l <: i16) + let result3:u8 = + ((cast (v.[ sz 7 ] <: i16) <: u8) <>! 4l <: i16) &. 15s <: i16) in - r0, r1 <: (i16 & i16) + result0, result1, result2, result3 <: (u8 & u8 & u8 & u8) let deserialize_4_int (bytes: t_Slice u8) = let v0:i16 = cast ((bytes.[ sz 0 ] <: u8) &. 15uy <: u8) <: i16 in @@ -98,6 +29,32 @@ let deserialize_4_int (bytes: t_Slice u8) = let v7:i16 = cast (((bytes.[ sz 3 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16 in v0, v1, v2, v3, v4, v5, v6, v7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) +let serialize_5_int (v: t_Slice i16) = + let r0:u8 = cast ((v.[ sz 0 ] <: i16) |. ((v.[ sz 1 ] <: i16) <>! 3l <: i16) |. ((v.[ sz 2 ] <: i16) <>! 1l <: i16) |. ((v.[ sz 4 ] <: i16) <>! 4l <: i16) |. ((v.[ sz 5 ] <: i16) <>! 2l <: i16) |. ((v.[ sz 7 ] <: i16) <>! 2l <: i16) &. 255s <: i16) <: u8 in r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8) +let deserialize_10_int (bytes: t_Slice u8) = + let r0:i16 = + (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + in + let r2:i16 = + (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + in + let r3:i16 = + ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) + in + let r4:i16 = + (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + in + let r6:i16 = + (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + in + let r7:i16 = + ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) + in + r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + let serialize_11_int (v: t_Slice i16) = let r0:u8 = cast (v.[ sz 0 ] <: i16) <: u8 in let r1:u8 = @@ -191,88 +183,96 @@ let serialize_11_int (v: t_Slice i16) = <: (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) -let serialize_12_int (v: t_Slice i16) = - let r0:u8 = cast ((v.[ sz 0 ] <: i16) &. 255s <: i16) <: u8 in - let r1:u8 = - cast (((v.[ sz 0 ] <: i16) >>! 8l <: i16) |. (((v.[ sz 1 ] <: i16) &. 15s <: i16) <>! 4l <: i16) &. 255s <: i16) <: u8 in - r0, r1, r2 <: (u8 & u8 & u8) - -let serialize_4_int (v: t_Slice i16) = - let result0:u8 = - ((cast (v.[ sz 1 ] <: i16) <: u8) <>! 3l <: i16) in - let result1:u8 = - ((cast (v.[ sz 3 ] <: i16) <: u8) <>! 6l <: i16) in - let result2:u8 = - ((cast (v.[ sz 5 ] <: i16) <: u8) <>! 1l <: i16) in - let result3:u8 = - ((cast (v.[ sz 7 ] <: i16) <: u8) <>! 4l <: i16) in - result0, result1, result2, result3 <: (u8 & u8 & u8 & u8) - -let serialize_5_int (v: t_Slice i16) = - let r0:u8 = cast ((v.[ sz 0 ] <: i16) |. ((v.[ sz 1 ] <: i16) <>! 3l <: i16) |. ((v.[ sz 2 ] <: i16) <>! 7l <: i16) in - let r2:u8 = - cast (((v.[ sz 3 ] <: i16) >>! 1l <: i16) |. ((v.[ sz 4 ] <: i16) <>! 2l <: i16) in - let r3:u8 = - cast ((((v.[ sz 4 ] <: i16) >>! 4l <: i16) |. ((v.[ sz 5 ] <: i16) <>! 5l <: i16) + in + r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + +let serialize_12_int (v: t_Slice i16) = + let r0:u8 = cast ((v.[ sz 0 ] <: i16) &. 255s <: i16) <: u8 in + let r1:u8 = + cast (((v.[ sz 0 ] <: i16) >>! 8l <: i16) |. (((v.[ sz 1 ] <: i16) &. 15s <: i16) <>! 2l <: i16) |. ((v.[ sz 7 ] <: i16) <>! 4l <: i16) &. 255s <: i16) <: u8 in + r0, r1, r2 <: (u8 & u8 & u8) -let deserialize_11_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } +let deserialize_12_int (bytes: t_Slice u8) = + let byte0:i16 = cast (bytes.[ sz 0 ] <: u8) <: i16 in + let byte1:i16 = cast (bytes.[ sz 1 ] <: u8) <: i16 in + let byte2:i16 = cast (bytes.[ sz 2 ] <: u8) <: i16 in + let r0:i16 = ((byte1 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) in + r0, r1 <: (i16 & i16) + +let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let r0_4_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 11; Core.Ops.Range.f_end = sz 22 } + let r5_9_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + let list = + [ + r0_4_._1; r0_4_._2; r0_4_._3; r0_4_._4; r0_4_._5; r5_9_._1; r5_9_._2; r5_9_._3; r5_9_._4; + r5_9_._5 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 10); + Rust_primitives.Hax.array_of_list 10 list let deserialize_5_ (bytes: t_Slice u8) = let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = @@ -335,60 +335,28 @@ let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVecto FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 22); Rust_primitives.Hax.array_of_list 22 list -let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let r0_4_:(u8 & u8 & u8 & u8 & u8) = - serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } +let deserialize_11_ (bytes: t_Slice u8) = + let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } <: Core.Ops.Range.t_Range usize ] <: - t_Slice i16) + t_Slice u8) in - let r5_9_:(u8 & u8 & u8 & u8 & u8) = - serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } + let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 11; Core.Ops.Range.f_end = sz 22 } <: Core.Ops.Range.t_Range usize ] <: - t_Slice i16) - in - let list = - [ - r0_4_._1; r0_4_._2; r0_4_._3; r0_4_._4; r0_4_._5; r5_9_._1; r5_9_._2; r5_9_._3; r5_9_._4; - r5_9_._5 - ] + t_Slice u8) in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 10); - Rust_primitives.Hax.array_of_list 10 list - -let rec deserialize_1_ (v: t_Slice u8) = - let result0:i16 = cast ((v.[ sz 0 ] <: u8) &. 1uy <: u8) <: i16 in - let result1:i16 = cast (((v.[ sz 0 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result2:i16 = cast (((v.[ sz 0 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result3:i16 = cast (((v.[ sz 0 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result4:i16 = cast (((v.[ sz 0 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result5:i16 = cast (((v.[ sz 0 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result6:i16 = cast (((v.[ sz 0 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result7:i16 = cast (((v.[ sz 0 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - let result8:i16 = cast ((v.[ sz 1 ] <: u8) &. 1uy <: u8) <: i16 in - let result9:i16 = cast (((v.[ sz 1 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result10:i16 = cast (((v.[ sz 1 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result11:i16 = cast (((v.[ sz 1 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result12:i16 = cast (((v.[ sz 1 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result13:i16 = cast (((v.[ sz 1 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result14:i16 = cast (((v.[ sz 1 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result15:i16 = cast (((v.[ sz 1 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in { Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = let list = [ - result0; result1; result2; result3; result4; result5; result6; result7; result8; result9; - result10; result11; result12; result13; result14; result15 + v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; + v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); @@ -397,67 +365,109 @@ let rec deserialize_1_ (v: t_Slice u8) = <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_1_ v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_1_bounded_lemma inputs = - admit() - -let rec deserialize_10_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } +let rec serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result0:u8 = + (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) + <: + u8) <>! 1l <: u8) &. 1uy <: u8) <: i16 in + let result2:i16 = cast (((v.[ sz 0 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in + let result3:i16 = cast (((v.[ sz 0 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in + let result4:i16 = cast (((v.[ sz 0 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in + let result5:i16 = cast (((v.[ sz 0 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in + let result6:i16 = cast (((v.[ sz 0 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in + let result7:i16 = cast (((v.[ sz 0 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in + let result8:i16 = cast ((v.[ sz 1 ] <: u8) &. 1uy <: u8) <: i16 in + let result9:i16 = cast (((v.[ sz 1 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in + let result10:i16 = cast (((v.[ sz 1 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in + let result11:i16 = cast (((v.[ sz 1 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in + let result12:i16 = cast (((v.[ sz 1 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in + let result13:i16 = cast (((v.[ sz 1 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in + let result14:i16 = cast (((v.[ sz 1 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in + let result15:i16 = cast (((v.[ sz 1 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in { Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = let list = [ - v0_1_._1; v0_1_._2; v2_3_._1; v2_3_._2; v4_5_._1; v4_5_._2; v6_7_._1; v6_7_._2; v8_9_._1; - v8_9_._2; v10_11_._1; v10_11_._2; v12_13_._1; v12_13_._2; v14_15_._1; v14_15_._2 + result0; result1; result2; result3; result4; result5; result6; result7; result8; result9; + result10; result11; result12; result13; result14; result15 ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); @@ -549,11 +516,11 @@ let rec deserialize_12_ (bytes: t_Slice u8) = #push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) +let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) : squash ( let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_12_ v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) + let outputs = bit_vec_of_int_t_array (deserialize_1_ v).f_elements 1 in + (forall (i: nat {i < 16}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -561,52 +528,59 @@ let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) #push-options "--z3rlimit 300" -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12) +let deserialize_1_lemma inputs = + deserialize_1_bit_vec_lemma inputs; + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1) (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) #pop-options -let deserialize_12_bounded_lemma inputs = +let deserialize_1_bounded_lemma inputs = admit() -let rec deserialize_4_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } +let rec serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result0_3_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 8 } + let result4_7_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + let list = + [ + result0_3_._1; + result0_3_._2; + result0_3_._3; + result0_3_._4; + result4_7_._1; + result4_7_._2; + result4_7_._3; + result4_7_._4 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list #push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) +let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) + (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4)) : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_4_ v).f_elements 4 in + let inputs = bit_vec_of_int_t_array v 4 in + let outputs = bit_vec_of_int_t_array (serialize_4_ ({ f_elements = v })) 8 in (forall (i: nat {i < 64}). inputs i == outputs i) ) = _ by (Tactics.GetBit.prove_bit_vector_equality' ()) @@ -615,119 +589,50 @@ let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) #push-options "--z3rlimit 300" -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) +let serialize_4_lemma inputs = + serialize_4_bit_vec_lemma inputs.f_elements (); + BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (serialize_4_ inputs) 8) + (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4)) #pop-options -let deserialize_4_bounded_lemma inputs = - admit() - -let rec serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let result0:u8 = - (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) - <: - u8) < Prims.l_True) - -val deserialize_11_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 11) - (fun _ -> Prims.l_True) - -val deserialize_12_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16) - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 3) +val serialize_4_int (v: t_Slice i16) + : Prims.Pure (u8 & u8 & u8 & u8) + (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8) (fun _ -> Prims.l_True) val deserialize_4_int (bytes: t_Slice u8) @@ -23,6 +13,11 @@ val deserialize_4_int (bytes: t_Slice u8) (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 4) (fun _ -> Prims.l_True) +val serialize_5_int (v: t_Slice i16) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) + (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8) + (fun _ -> Prims.l_True) + val deserialize_5_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 5) @@ -33,30 +28,33 @@ val serialize_10_int (v: t_Slice i16) (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 4) (fun _ -> Prims.l_True) +val deserialize_10_int (bytes: t_Slice u8) + : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 10) + (fun _ -> Prims.l_True) + val serialize_11_int (v: t_Slice i16) : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8) (fun _ -> Prims.l_True) +val deserialize_11_int (bytes: t_Slice u8) + : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 11) + (fun _ -> Prims.l_True) + val serialize_12_int (v: t_Slice i16) : Prims.Pure (u8 & u8 & u8) (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 2) (fun _ -> Prims.l_True) -val serialize_4_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8) - (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8) - (fun _ -> Prims.l_True) - -val serialize_5_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8) +val deserialize_12_int (bytes: t_Slice u8) + : Prims.Pure (i16 & i16) + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 3) (fun _ -> Prims.l_True) -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 22) - (fun _ -> Prims.l_True) +val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_5_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -66,8 +64,17 @@ val deserialize_5_ (bytes: t_Slice u8) val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 22) + (fun _ -> Prims.l_True) + +val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma + (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) + (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) val deserialize_1_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -80,27 +87,12 @@ val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1) -val deserialize_10_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20) - (fun _ -> Prims.l_True) - -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) - -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) - -val deserialize_12_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24) - (fun _ -> Prims.l_True) - -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) +val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) +val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma + (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) + (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -113,13 +105,6 @@ val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4) -val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) - val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) @@ -127,6 +112,17 @@ val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) (ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) +val deserialize_10_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20) + (fun _ -> Prims.l_True) + +val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma + (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) + +val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) + val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) @@ -134,9 +130,13 @@ val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) (ensures bit_vec_of_int_t_array (serialize_12_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) -val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_12_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24) + (fun _ -> Prims.l_True) -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) +val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma + (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) + +val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma + (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst index 70c80f4e5..61b05fdfd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst @@ -3,6 +3,23 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type open Core open FStar.Mul +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl': Core.Clone.t_Clone t_PortableVector + +let impl = impl' + +[@@ FStar.Tactics.Typeclasses.tcinstance] +assume +val impl_1': Core.Marker.t_Copy t_PortableVector + +let impl_1 = impl_1' + +let zero (_: Prims.unit) = + { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector + +let to_i16_array (x: t_PortableVector) = x.f_elements + let from_i16_array (array: t_Slice i16) = { f_elements @@ -22,20 +39,3 @@ let from_i16_array (array: t_Slice i16) = } <: t_PortableVector - -let to_i16_array (x: t_PortableVector) = x.f_elements - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl': Core.Clone.t_Clone t_PortableVector - -let impl = impl' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_1': Core.Marker.t_Copy t_PortableVector - -let impl_1 = impl_1' - -let zero (_: Prims.unit) = - { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti index 0d4b6268a..37e1c236b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti @@ -5,13 +5,19 @@ open FStar.Mul type t_PortableVector = { f_elements:t_Array i16 (sz 16) } -val from_i16_array (array: t_Slice i16) - : Prims.Pure t_PortableVector - (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Core.Clone.t_Clone t_PortableVector + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_1:Core.Marker.t_Copy t_PortableVector + +val zero: Prims.unit + -> Prims.Pure t_PortableVector + Prims.l_True (ensures fun result -> let result:t_PortableVector = result in - result.f_elements == array) + result.f_elements == Seq.create 16 0s) val to_i16_array (x: t_PortableVector) : Prims.Pure (t_Array i16 (sz 16)) @@ -21,16 +27,10 @@ val to_i16_array (x: t_PortableVector) let result:t_Array i16 (sz 16) = result in result == x.f_elements) -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Core.Clone.t_Clone t_PortableVector - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Marker.t_Copy t_PortableVector - -val zero: Prims.unit - -> Prims.Pure t_PortableVector - Prims.l_True +val from_i16_array (array: t_Slice i16) + : Prims.Pure t_PortableVector + (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16) (ensures fun result -> let result:t_PortableVector = result in - result.f_elements == Seq.create 16 0s) + result.f_elements == array) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst index e59261ebb..14be906bb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst @@ -10,16 +10,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a - -let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a - -let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a - -let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = @@ -40,43 +30,53 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x } +let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a + +let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a + +let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a + +let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a + +let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a + let deserialize_1_ (a: t_Slice u8) = let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a -let deserialize_10_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a - -let deserialize_12_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a +let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a let deserialize_4_ (a: t_Slice u8) = let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a -let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a - let serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a +let deserialize_10_ (a: t_Slice u8) = + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in + Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a + let serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma a in Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a -let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a +let deserialize_12_ (a: t_Slice u8) = + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in + let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in + Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a #push-options "--z3rlimit 400 --split_queries always" diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index c9cf458ce..41a74ee0e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -10,10 +10,12 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -val deserialize_11_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) - (fun _ -> Prims.l_True) +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:Libcrux_ml_kem.Vector.Traits.t_Repr +Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + +val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_5_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -23,12 +25,19 @@ val deserialize_5_ (a: t_Slice u8) val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_11_ (a: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) + (fun _ -> Prims.l_True) -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:Libcrux_ml_kem.Vector.Traits.t_Repr -Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector +val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 2)) + (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a)) + (ensures + fun out -> + let out:t_Array u8 (sz 2) = out in + Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> + Spec.MLKEM.serialize_post 1 (impl.f_repr a) out) val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -38,21 +47,14 @@ val deserialize_1_ (a: t_Slice u8) let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)) -val deserialize_10_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)) - -val deserialize_12_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24) +val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 8)) + (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a)) (ensures fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)) + let out:t_Array u8 (sz 8) = out in + Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> + Spec.MLKEM.serialize_post 4 (impl.f_repr a) out) val deserialize_4_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector @@ -62,15 +64,6 @@ val deserialize_4_ (a: t_Slice u8) let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)) -val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) - (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 2) = out in - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out) - val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 20)) (requires Spec.MLKEM.serialize_pre 10 (impl.f_repr a)) @@ -80,6 +73,14 @@ val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVecto Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr a) out) +val deserialize_10_ (a: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20) + (ensures + fun out -> + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in + sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)) + val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 24)) (requires Spec.MLKEM.serialize_pre 12 (impl.f_repr a)) @@ -89,14 +90,13 @@ val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVecto Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr a) out) -val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) - (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a)) +val deserialize_12_ (a: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24) (ensures fun out -> - let out:t_Array u8 (sz 8) = out in - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out) + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in + sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)) [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_1:Libcrux_ml_kem.Vector.Traits.t_Operations diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index 534f1aae9..33c1ba6cb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -3,6 +3,38 @@ module Libcrux_ml_kem.Vector.Traits open Core open FStar.Mul +let montgomery_multiply_fe + (#v_T: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) + (v: v_T) + (fer: i16) + = f_montgomery_multiply_by_constant #v_T #FStar.Tactics.Typeclasses.solve v fer + +let to_standard_domain + (#v_T: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) + (v: v_T) + = + f_montgomery_multiply_by_constant #v_T + #FStar.Tactics.Typeclasses.solve + v + v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS + +#push-options "--admit_smt_queries true" + +let to_unsigned_representative + (#v_T: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) + (a: v_T) + = + let t:v_T = f_shift_right #v_T #FStar.Tactics.Typeclasses.solve 15l a in + let fm:v_T = + f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS + in + f_add #v_T #FStar.Tactics.Typeclasses.solve a fm + +#pop-options + #push-options "--z3rlimit 200 --split_queries always" let decompress_1_ @@ -35,35 +67,3 @@ let decompress_1_ f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s #pop-options - -let montgomery_multiply_fe - (#v_T: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) - (v: v_T) - (fer: i16) - = f_montgomery_multiply_by_constant #v_T #FStar.Tactics.Typeclasses.solve v fer - -let to_standard_domain - (#v_T: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) - (v: v_T) - = - f_montgomery_multiply_by_constant #v_T - #FStar.Tactics.Typeclasses.solve - v - v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS - -#push-options "--admit_smt_queries true" - -let to_unsigned_representative - (#v_T: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) - (a: v_T) - = - let t:v_T = f_shift_right #v_T #FStar.Tactics.Typeclasses.solve 15l a in - let fm:v_T = - f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS - in - f_add #v_T #FStar.Tactics.Typeclasses.solve a fm - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index 8b0564a28..36328b521 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -3,17 +3,17 @@ module Libcrux_ml_kem.Vector.Traits open Core open FStar.Mul -let v_BARRETT_SHIFT: i32 = 26l +let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353s -let v_BARRETT_R: i32 = 1l < f_rej_sample_post x0 x1 result) } -val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (vec: v_T) - : Prims.Pure v_T - (requires - forall i. - let x = Seq.index (i1._super_12682756204189288427.f_repr vec) i in - (x == 0s \/ x == 1s)) - (fun _ -> Prims.l_True) - val montgomery_multiply_fe (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) (fer: i16) : Prims.Pure v_T (requires Spec.Utils.is_i16b 1664 fer) (fun _ -> Prims.l_True) @@ -438,3 +430,11 @@ val to_unsigned_representative (#v_T: Type0) {| i1: t_Operations v_T |} (a: v_T) (let x = Seq.index (i1._super_12682756204189288427.f_repr a) i in let y = Seq.index (i1._super_12682756204189288427.f_repr result) i in (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))) + +val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (vec: v_T) + : Prims.Pure v_T + (requires + forall i. + let x = Seq.index (i1._super_12682756204189288427.f_repr vec) i in + (x == 0s \/ x == 1s)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs index 6c496a785..16b9791b9 100644 --- a/libcrux-ml-kem/src/serialize.rs +++ b/libcrux-ml-kem/src/serialize.rs @@ -8,24 +8,6 @@ use crate::{ }; #[inline(always)] -#[hax_lib::fstar::before( - interface, - r#"[@@ "opaque_to_smt"] -let coefficients_field_modulus_range (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)"# -)] -#[hax_lib::fstar::before( - interface, - r#"[@@ "opaque_to_smt"] -let field_modulus_range (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: v_Vector) = - let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in - forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\ - v (Seq.index coef i) < v $FIELD_MODULUS"# -)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!(r#"field_modulus_range $a"#))] #[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==> @@ -145,6 +127,24 @@ pub(super) fn deserialize_to_uncompressed_ring_element( /// Only use with public values. /// /// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. +#[hax_lib::fstar::before( + interface, + r#"[@@ "opaque_to_smt"] +let coefficients_field_modulus_range (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)"# +)] +#[hax_lib::fstar::before( + interface, + r#"[@@ "opaque_to_smt"] +let field_modulus_range (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (a: v_Vector) = + let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\ + v (Seq.index coef i) < v $FIELD_MODULUS"# +)] #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(